Airport (not extreme) card, and WEP? WPA?

[Todd H.]

Greetings,

3 hopefully simple questions for y'all!

I'm a bit cautious about wireless security...and I'm interested in
building a small wireless network with as many security features
enabled as possible for my iBook. I'm also a Mac neophyte trying his
best to get up the learning curve.

I have a white iBook dual USB 600MHz/256Mb/20GB/COMBO 14.1" running OS
X 10.1.2 that will accept a regular ole Airport card (which I'm about
to purchase): Airport Card at CDW.com:
[url]http://www.cdw.com/shop/products/default.aspx?EDC=454503[/url]

Question 1) "How much security is possible with the non-Extreme Airpot
card?" I'm led to believe by this article:
AirPort: How to Join an Encrypted Wireless Network
[url]http://docs.info.apple.com/article.html?artnum=106424[/url]
..that the airport card teams up with the Airport software on the
computer to enable 128bit WEP to a third party base station (my
planned Linksys Wireless G router will happily do 128wep).

Does anyone have a plain ole airport card who's running 128WEP?

Naturally I'd enable all the usual goodies on the AP to turn off
SSID broadcasts, change defaults, lock down to specific MAC
addresses and the like.

Question 2) Airport software 2.1.1 or later appears to be required for
128-bit WEP according to
[url]http://docs.info.apple.com/article.html?artnum=120121[/url]

Now, that software appears to require OS X 10.2. And...oy, I'm at
10.1.2. As a complete newbie to the Mac, would some kind sould
point me the way to get to 10.2 or later (download? buy upgrade)?
And will I have to pay anything to do so? It appears that the .x
releases mean "pay Apple more money" is this true?

Question 3) Does anyone know if firmware or software will be ever be
available to get the Airport card up to WPA for added security
over the flawed WEP? A web search yielded "WPA coming with
Panther" which I further searched to decode this as OS X
10.3. But I wasn't able to see if the Airport card would be
along for the ride on that upgrade, or if it'll only be
available for the Airport Extreme.

Thanks so much to anyone who can shed some light on these things!

Best Regards,
--
Todd H.
[url]http://www.toddh.net/[/url]

[John Johnson]

In article <m0wubdd86f.fsf@rcn.com>, [email]comphelp@toddh.net[/email] (Todd H.)
wrote:

> Greetings,
>

[snip]

>
> Question 2) Airport software 2.1.1 or later appears to be required for
> 128-bit WEP according to
> [url]http://docs.info.apple.com/article.html?artnum=120121[/url]
>
> Now, that software appears to require OS X 10.2. And...oy, I'm at
> 10.1.2. As a complete newbie to the Mac, would some kind sould
> point me the way to get to 10.2 or later (download? buy upgrade)?
> And will I have to pay anything to do so? It appears that the .x
> releases mean "pay Apple more money" is this true?

Basically, yes. You must pay to get any OS past 10.1.x
Of course, with Panther coming out soon, your best economy for the
upgrads is to purchase that directly. If you are a student or teacher in
the USA, educational pricing is available ($69USD). I would recommend
upgrading, even at the full price, as later versions of OS X are much
more stable, have more features (e.g. CUPS printing, better access to
NTFS volumes, etc.), and run faster on supported hardware. Your battery
life will probably improve as well. Your machine is supported for
Panther.

>

Sorry, I don't have any other answers.

[Tom Harrington]

In article <m0wubdd86f.fsf@rcn.com>, [email]comphelp@toddh.net[/email] (Todd H.)
wrote:

> I'm a bit cautious about wireless security...and I'm interested in
> building a small wireless network with as many security features
> enabled as possible for my iBook. I'm also a Mac neophyte trying his
> best to get up the learning curve.
>
> I have a white iBook dual USB 600MHz/256Mb/20GB/COMBO 14.1" running OS
> X 10.1.2 that will accept a regular ole Airport card (which I'm about
> to purchase): Airport Card at CDW.com:
> [url]http://www.cdw.com/shop/products/default.aspx?EDC=454503[/url]
>
> Question 1) "How much security is possible with the non-Extreme Airpot
> card?" I'm led to believe by this article:
> AirPort: How to Join an Encrypted Wireless Network
> [url]http://docs.info.apple.com/article.html?artnum=106424[/url]
> ..that the airport card teams up with the Airport software on the
> computer to enable 128bit WEP to a third party base station (my
> planned Linksys Wireless G router will happily do 128wep).
>
> Does anyone have a plain ole airport card who's running 128WEP?
>
> Naturally I'd enable all the usual goodies on the AP to turn off
> SSID broadcasts, change defaults, lock down to specific MAC
> addresses and the like.

I think your understanding is correct, however I don't think it's
relevant to any sort of real security. WEP is easily cracked, and free
tools are available to do so automatically. It may deter a casual
snooper who happens to pick up your signal, but it's not "secure" in any
reasonable sense of the word. Anyone who wants to crack it will find it
simple to do so.

If you want your wireless connection to be secure, you need to use SSL
encryption. If servers you're connecting to don't support this, you can
secure at least the Airport portion of the connection using SSH
tunnelling. Anyone listening in on an SSL/SSH-encrypted channel is just
going to get gibberish. It helps to have a second computer (Mac, Linux,
Windows, etc) that's not using a wireless link, or an ISP that allows
SSH connections, if you want to set this up.

> Question 2) Airport software 2.1.1 or later appears to be required for
> 128-bit WEP according to
> [url]http://docs.info.apple.com/article.html?artnum=120121[/url]
>
> Now, that software appears to require OS X 10.2. And...oy, I'm at
> 10.1.2. As a complete newbie to the Mac, would some kind sould
> point me the way to get to 10.2 or later (download? buy upgrade)?
> And will I have to pay anything to do so? It appears that the .x
> releases mean "pay Apple more money" is this true?

Well, 10.1 was a free update to 10.0.x, but 10.2 was and 10.3 will be
paid updates. I don't know if that establishes any kind of rule. As
10.3 is due on October 24, I'd hold off on buying until then.

> Question 3) Does anyone know if firmware or software will be ever be
> available to get the Airport card up to WPA for added security
> over the flawed WEP? A web search yielded "WPA coming with
> Panther" which I further searched to decode this as OS X
> 10.3. But I wasn't able to see if the Airport card would be
> along for the ride on that upgrade, or if it'll only be
> available for the Airport Extreme.

Nothing official has been announced, and no information on this subject
has been leaked.

--
Tom "Tom" Harrington
Macaroni, Automated System Maintenance for Mac OS X.
Version 1.4: Best cleanup yet, gets files other tools miss.
See [url]http://www.atomicbird.com/[/url]

[Todd H.]

John Johnson <null@invalid.com> writes:

> In article <m0wubdd86f.fsf@rcn.com>, [email]comphelp@toddh.net[/email] (Todd H.)
> wrote:
>

> > Greetings,
> >

>
> [snip]

> >
> > Question 2) Airport software 2.1.1 or later appears to be required for
> > 128-bit WEP according to
> > [url]http://docs.info.apple.com/article.html?artnum=120121[/url]
> >
> > Now, that software appears to require OS X 10.2. And...oy, I'm at
> > 10.1.2. As a complete newbie to the Mac, would some kind sould
> > point me the way to get to 10.2 or later (download? buy upgrade)?
> > And will I have to pay anything to do so? It appears that the .x
> > releases mean "pay Apple more money" is this true?

>
> Basically, yes. You must pay to get any OS past 10.1.x
> Of course, with Panther coming out soon, your best economy for the
> upgrads is to purchase that directly. If you are a student or teacher in
> the USA, educational pricing is available ($69USD). I would recommend
> upgrading, even at the full price, as later versions of OS X are much
> more stable, have more features (e.g. CUPS printing, better access to
> NTFS volumes, etc.), and run faster on supported hardware. Your battery
> life will probably improve as well. Your machine is supported for
> Panther.

> >

> Sorry, I don't have any other answers.

Thanks John! Looks like there are several reasons to go with the
panther upgrade, especially since it will run on this system.

--
Todd H.
[url]http://www.toddh.net/[/url]

[Todd H.]

Tom Harrington <tph@pcisys.no.spam.dammit.net> writes:

> I think your understanding is correct, however I don't think it's
> relevant to any sort of real security. WEP is easily cracked, and free
> tools are available to do so automatically. It may deter a casual
> snooper who happens to pick up your signal, but it's not "secure" in any
> reasonable sense of the word. Anyone who wants to crack it will find it
> simple to do so.

I agree. But it beats nothing as you say, and WPA isn't even
available for any mac wireless until panther it seems. :-)

> If you want your wireless connection to be secure, you need to use SSL
> encryption. If servers you're connecting to don't support this, you can
> secure at least the Airport portion of the connection using SSH
> tunnelling. Anyone listening in on an SSL/SSH-encrypted channel is just
> going to get gibberish. It helps to have a second computer (Mac, Linux,
> Windows, etc) that's not using a wireless link, or an ISP that allows
> SSH connections, if you want to set this up.

I'm quite versed in SSH and use it regularly... but I'm curious how
you propose its use for securing the connection of the airport
card-to-wireless endpoint communication. Or if you're talking about
end to end security of, say unix shell sessions like hte one I'm using
as I type this.

FWIW, the security of the actual transmissions isn't so much my
concern as unauthorized use of my access point.

> > Question 2) Airport software 2.1.1 or later appears to be required for

> Well, 10.1 was a free update to 10.0.x, but 10.2 was and 10.3 will be
> paid updates. I don't know if that establishes any kind of rule. As
> 10.3 is due on October 24, I'd hold off on buying until then.

sounds like fine advice. Thanks for the clarification!

>

> > Question 3) Does anyone know if firmware or software will be ever be
> > available to get the Airport card up to WPA for added security
> > over the flawed WEP? A web search yielded "WPA coming with
> > Panther" which I further searched to decode this as OS X
> > 10.3. But I wasn't able to see if the Airport card would be
> > along for the ride on that upgrade, or if it'll only be
> > available for the Airport Extreme.

>
> Nothing official has been announced, and no information on this subject
> has been leaked.

This is the article I'd found, fwiw:
[url]http://www.geek.com/news/geeknews/2003Jun/bma20030630020622.htm[/url]

I can't speak to its reliability of course. Microsoft is saying this
as well, but of course that's to be taken with a grain of salt:
"Macintosh users will need to wait for the release of Mac OS 10.3
(Panther) for WPA functionality."
[url]http://www.microsoft.com/WindowsXP/expertzone/columns/bowman/03july28.asp[/url]

Thanks again for the useful responses!

Best Regards,
--
Todd H.
[url]http://www.toddh.net/[/url]

[Tom Harrington]

In article <m0smm13pdx.fsf@rcn.com>, [email]comphelp@toddh.net[/email] (Todd H.)
wrote:

> > If you want your wireless connection to be secure, you need to use SSL
> > encryption. If servers you're connecting to don't support this, you can
> > secure at least the Airport portion of the connection using SSH
> > tunnelling. Anyone listening in on an SSL/SSH-encrypted channel is just
> > going to get gibberish. It helps to have a second computer (Mac, Linux,
> > Windows, etc) that's not using a wireless link, or an ISP that allows
> > SSH connections, if you want to set this up.

>
> I'm quite versed in SSH and use it regularly... but I'm curious how
> you propose its use for securing the connection of the airport
> card-to-wireless endpoint communication. Or if you're talking about
> end to end security of, say unix shell sessions like hte one I'm using
> as I type this.
>
> FWIW, the security of the actual transmissions isn't so much my
> concern as unauthorized use of my access point.

Given this "FWIW", I'm not sure it matters, since I was thinking mostly
of security of data in transit.

The key is the second computer and/or ISP that I mentioned. I want to
use Airport, and I don't want someone cracking WEP to be able to
intercept it. So I do as follows: I start up an SSH connection to my
ISP, with local port 9110 forwarded to my ISP's mail server port 110
(which is POP3). Then I set up my email program so that the POP3 server
is localhost, with port 9110. Now, anyone can listen in on my Airport
link, but they can't pick up my email. The SSH command would be
something like this:

ssh -N -L9110:mail:110 shell

....where "mail" is replaced by my ISP's mail server, and "shell" by
their shell server. (I usually add "-v" to keep an eye on what the
session's doing). Thanks to my ~/.ssh/config file, the set up is all
automatic. I have a similar setup for IMAP to a different site, and
some other ports as well. Any data that's in any way important is
encrypted before going wireless.

Since I sometimes have my Powerbook in unfamiliar environments, both
wired and unwired, I like using this scheme to ensure that anything
important is encrypted from the local link to my ISP.

--
Tom "Tom" Harrington
Macaroni, Automated System Maintenance for Mac OS X.
Version 1.4: Best cleanup yet, gets files other tools miss.
See [url]http://www.atomicbird.com/[/url]

[Todd H.]

Tom Harrington <tph@pcisys.no.spam.dammit.net> writes:

> > FWIW, the security of the actual transmissions isn't so much my
> > concern as unauthorized use of my access point.

>
> Given this "FWIW", I'm not sure it matters, since I was thinking mostly
> of security of data in transit.

Ah.. gotcha.

> The key is the second computer and/or ISP that I mentioned. I want to
> use Airport, and I don't want someone cracking WEP to be able to
> intercept it. So I do as follows: I start up an SSH connection to my
> ISP, with local port 9110 forwarded to my ISP's mail server port 110
> (which is POP3). Then I set up my email program so that the POP3 server
> is localhost, with port 9110. Now, anyone can listen in on my Airport
> link, but they can't pick up my email. The SSH command would be
> something like this:
>
> ssh -N -L9110:mail:110 shell
>
> ...where "mail" is replaced by my ISP's mail server, and "shell" by
> their shell server. (I usually add "-v" to keep an eye on what the
> session's doing). Thanks to my ~/.ssh/config file, the set up is all
> automatic. I have a similar setup for IMAP to a different site, and
> some other ports as well. Any data that's in any way important is
> encrypted before going wireless.
>
> Since I sometimes have my Powerbook in unfamiliar environments, both
> wired and unwired, I like using this scheme to ensure that anything
> important is encrypted from the local link to my ISP.

I do something very similar to get news access from a shell account
where inbound nntp is blocked. SSH is beautiful. :-) So many
solutions to so many different problems.

Now that I'm thinking about it, I'd bet that there's a "vpn
implementation of SSL encrypted VPN between laptop and a
build-it-yourself PC/access point using Linux on a floppy disk"
project somewhere on the net, where someone is taking old PC's
dropping a wireless card and network card into em, and rolling their
own access points that implement VPN encrytpion from laptop to the
accesspoint.

Sure enough...a web search bears fruit:

Building a wireless access point on Linux
[url]http://www-106.ibm.com/developerworks/library/l-wap.html?ca=dnt-429[/url]

Geek love is strong.

--
Todd H.
[url]http://www.toddh.net/[/url]