Reply
Occasional Contributor II
Posts: 41
Registered: ‎04-03-2007

Firesheep

http://codebutler.com/firesheep

I'm sure you have all been up all night every night since Sunday's release of Firesheep. If you don't know, Firesheep uses raw sockets on the local host to monitor other users session cookies over an unencrypted network - wired or wireless. This is completely defeated by wpa encryption as each wpa client negotiates an individual key.

What can we do on the VAP or SSID level to mitigate this? I can only get so many users on our encrypted network (about 15%) and I don't think our back end could even handle every user going to encrypted.

Thoughts?
Aruba Employee
Posts: 19
Registered: ‎04-27-2009

Open is insecure

Sable,

At the end of the day there is no way to stop users from engaging in insecure activities. Firesheep brings together a number of existing techniques and the press surrounding it has done a good job of raising awareness. However, Firesheep is only one example. Any cleartext protocol used with authentication on an open network should be avoided. This includes HTTP, IMAP, POP, SMTP, AIM, YahooIM, and a host of others.

To the users : Don't trust an open network hackers are listening. The answer? Don't access facebook, unsecured email or IM from wifi hotspots without a VPN or other layer of encryption.

Wifi networks should be encrypted. However, encryption introduces configuration complications for the users. When you user base is known and manageable, like in a typical corporation, this can be handled pretty easily. When your user base is unknown or unmanageable like in hot spots and in many universities turning on encryption can increase the support costs of the network as some users will need help even with something as simple as PSK.

The first question for these networks is, of course, should you try to do anything at all? Any technique of attempting to stop indiscriminate users is likely to be just as complicated, if not more so, than just turing on WPA-PSK. As a matter of fact tracking down false positives and constantly tweaking the filters would be a never ending job. It is also worth noting the historical stance that ISPs have had on similar issues. That stance is quite simply summed up by the slippery slope of good intentions becoming liability for not doing more.

What if you want to do something anyway?
Well, the only thing you can reliably do is to stop the well-known clear text protocols. Firewall rules can block, IMAP, POP, and some IM protocols like the basic AIM protocol on port 5090. However, this would not address Firesheep. To address Firesheep you must block HTTP. Blocking HTTP, of course, blocks access to all of the web sites that don't require any login at all.

My advice is to post signs and attempt to educate users. Open networks are insecure.

-J
Occasional Contributor II
Posts: 41
Registered: ‎04-03-2007

Re: Firesheep

We're well aware of the philosophy of security and the implications of security theater. Thank you.

Now how do we protect our users? We can't do anything silly like block port 80 or blacklist sites. I was thinking more along the lines of isolating users from each others traffic.

On an unencrypted wifi network, we should be able to isolate each user within their role so that one user cannot see another users sessions cookies when they are connected to the AP. A user sniffing the air promiscuously will see the packets in the air regardless of what we do.
Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Hmm....

Open wireless networks send information back and forth in cleartext. Nothing can be done to protect that, at all. Adding wireless encryption will help mitigate this considerably. Firesheep is a sniffer, so user isolation is not an option. This might actually be the ammunition that higher education and other institutions need to get their users to use wireless encryption on those networks.

Even though firesheep is being reported on, I'm not sure it is mainstream enough for regular people to understand the problem, much less the solution.

So this brings us back to posting signs and educating users. To get users from unencrypted wireless networks it may be necessary to degrade their experience just enough that they will want to use encryption (bandwidth contract, remove support from some protocols, etc). Sometimes the stick works better than the carrot.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 41
Registered: ‎04-03-2007

Re: Firesheep


Open wireless networks send information back and forth in cleartext. Nothing can be done to protect that, at all. Adding wireless encryption will help mitigate this considerably. Firesheep is a sniffer, so user isolation is not an option. This might actually be the ammunition that higher education and other institutions need to get their users to use wireless encryption on those networks.

Even though firesheep is being reported on, I'm not sure it is mainstream enough for regular people to understand the problem, much less the solution.

So this brings us back to posting signs and educating users. To get users from unencrypted wireless networks it may be necessary to degrade their experience just enough that they will want to use encryption (bandwidth contract, remove support from some protocols, etc). Sometimes the stick works better than the carrot.




Two things protect completely against this:

1. WPA encryption or better, as each user negotiates a key
2. Server's providing complete SSL sessions.

As far as user isolation goes, we have a policy that says:

ip access-list session no-campus-user-to-user-policy
any alias no-campus-user-to-user any deny

campus users are any wireless users on the unencrypted. Firesheep wasn't working for me on our campus network last week. I plan on trying to break it some more this week.
Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Campus User

Sable,

Please let us know the results of your testing.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 41
Registered: ‎04-03-2007

Re: Firesheep

Okay, so no matter what I do I can't block firesheep from users on the same access point ... well it was a fun exercise.

I guess we go back to the old ways ^^

1. Educate your users so they do not login to these sites over the unencrypted wi-fi. Give them alternatives: use encrypted, use a vpn, or ...
2. Talk to the providers and encourage them to enable ssl for all session cookie transport (or, basically everything)

Let me know in this thread if you have any other great ideas. I have started explaining the danger of this by demoing a computer hijacking my own session cookies. I was able to make a one-click purchase on amazon from the firesheep "attacker".
Aruba Employee
Posts: 19
Registered: ‎04-27-2009

Blacksheep

Our friends at Zscaler have released Blacksheep to at least help detect when Firesheep is in use and discourage it.

http://research.zscaler.com/2010/11/blacksheep-tool-to-detect-firesheep.html

-J
Search Airheads
Showing results for 
Search instead for 
Did you mean: