Jump to content

Which Network Security Design


hapster
 Share

Recommended Posts

Hi. I was wondering which of the following network security architectures/designs is safer for wifi hotspots (in coffee shops, malls etc...).

The first design I've encountered was where you could connect without any WEP/WPA authentication to the network but everytime you'd try to browse any pages in the Internet with your web browser, you'll be redirected to a login page. In order to login, you'll have to buy coffee to be given a randomly generated username and password (I'm assuming it's random. hehe) or you could buy user name and passwords for certain time lengths.

The second one simply uses WEP/WPA encryption before you can access the network.

For the first design, when sniffing the network (since you're already connected and assigned an IP address, all I get are ARP packets and other weird request packets).

The next question prior to which one is better would be what are the security issues that involve both designs? Well ok, we all know there are ways to crack wep/wpa, but what about the first one? Will you have to hack some database where those user name and passwords are located?

I'm not that knowledgeable yet in network designs and terminologies so all these are based from experience and curiosity. :) Hope to hear from your thoughts. Thanks

Link to comment
Share on other sites

Pros of unsecure:

- Some system is used so that supposedly random usernames/pins could be created per customer

- You don't haft to give out the same key to every customer and since you control it you can limit access to a specific time or disable no longer used usernames/pins.

- If you tunnel the traffic of the clients through ssh even though the network is unsecure it shouldn't be a problem.

Cons of unsecure:

- The ovb. think blackhat. They don't have any reason to do personal browsing there, so no need to login once thier on the network. They just want to steal as much information as possible from the victims. A unsecure network should make this uber easy.

- Easy access to your router from anyone who connects to the network. At least with secured though they could access it it would be limited to your customers and not just someone outside the shop within close range to connect.

Pros of secured:

- Customers must pay or get permission to even connect to the network in the first place; let alone browse the net. This limits network activity only to your customers and somewhat dodges those who don't want to be known to have used the network if they intend to perform malicous activities on it.

- Content is encrypted all ready from the up to no good outsider, though you still may want to tunnel clients to prevent theft of information sniffing.

Cons of secured:

- You will need to change the key often (if not even on a daily basis) so you don't lose money or returning users don't just get back on without having to pay for use. The use of the same password over a long period of time is never a good security practice.

That should pretty much sum up things. Up to the owner to make a decision in the end.

Link to comment
Share on other sites

- The ovb. think blackhat. They don't have any reason to do personal browsing there, so no need to login once thier on the network. They just want to steal as much information as possible from the victims. A unsecure network should make this uber easy.

- Easy access to your router from anyone who connects to the network. At least with secured though they could access it it would be limited to your customers and not just someone outside the shop within close range to connect.

But all I see are ARP packets. How do they do that? It's probably just my sniffer but is it possible to see other tcp packets when you're connected to the network but not logged in?

Link to comment
Share on other sites

Winners don't do WEP! or warez!

LOL. Wasn't really looking for that kind of comment but thanks anyway. Yes WEP is weak. But believe it or not, most if not all the networks here at my country are using WEP for encryption. Ignorance is never bliss. hehe

Link to comment
Share on other sites

With the whole login thing, somebody could sniff a cookie and spoof their MAC to bypass login...

Curious, if you spoof a MAC address of another already logged in will that automatically assign the IP to you? Or will you have to do some extra hacker stuff to get that IP.

Link to comment
Share on other sites

depends... is the router running a DHCP server?

Not really sure. How would I know? I tried nmap-ing the server but just got http 80 and other weird ports open. I think this kind of reconnaissance is quite blind. It's like trying to gain network access with only "can connect to network but keeps being redirected to login page" as your only info..XD

Link to comment
Share on other sites

Well you could always arp poision and get the cookie, but any unsecure network that uses login from what I've seen anyway uses ssl during login.

hmmm..but their login page starts with http. I may be mistaken but can I assume they're not using ssl because of this?

Link to comment
Share on other sites

With the unsecured you could always spoof the login page and just have people typing in their user names and passwords :)

I don't think that's possible unless you can redirect traffic to pass by you first (some man in the middle process). Other than that, you'd have to hack the server I guess?O_o

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...