[unisog] Bluesocket: Large Deployments?

Joshua Wright Joshua.Wright at jwu.edu
Fri May 2 16:42:34 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

After authentication, the NoCatAuth server will spawn a popup window
that maintains a session key with an automatic refresh rate.  If the
NoCatAuth server doesn't see this popup window continue to refresh,
it will deauthenticate the user session.  This provides a reasonable
measure of security against session hijacking attempts, since an
attacker would not be privy to this per-session authentication key.

The BlueSocket device doesn't have a similar feature, and when used
exclusively for captive web portal authentication, is susceptible to
session hijacking.  An attacker simply has to identify a user who has
stopped using the network and has not logged-off, assume their IP
address and MAC address (one command line with Linux and ifconfig)
and start assuming the identify of the authenticated user. 
Alternatively, the attacker may choose to launch a DoS attack against
a victim, perhaps forcing their workstation to blue-screen, then
assume their session to access the network.

I spoke to BlueSocket about the issue of session hijacking several
months ago and asked them to publicly acknowledge this flaw in their
documentation and in public forums.  They have updated their FAQ
accordingly to identify the risk of session hijacking (see
http://www.bluesocket.com/solutions/faq.html#SessionHijacking1), but
continue to advertise the strength of their product as a clientless
security solution for wireless networks:

"Bluesocket has pulled itself away from the herd of wireless security
vendors with a strong product that advances the state of art in
wireless LAN security in a number of ways".  Then, later: "Its open
standards-based architecture and no need to have a client side
software will be attractive to many customers". (5/1/2003 article by
MobileInfo at http://www.bluesocket.com/news/newslist.csp)

That being said, I believe the BlueSocket offering does lend itself
toward a large-scale deployment.  They offer the ability to maintain
a single configuration base for all non-unique security settings with
replication to other BlueSocket appliances that would simplify
administration and change control.  Just be informed that the default
clientless configuration is easily circumvented with session
hijacking techniques, and determine if it is an acceptable level of
risk for your organization.

I am interested if other people have deployed alternate captive
portal solutions from home-grown parts or commercial solutions.  I
imagine a captive portal could be implemented with Microsoft
solutions as well, potentially a proxy server that required
authentication before permitting dynamic access.

An alternate solution to the clientless authentication method that
would solve the session hijacking problem might be to proxy all
connection attempts through an SSL tunnel.  The proxy device would
interact with the client over HTTPS, proxying all requests to the
requested destinations.

Any takers? :)

- -Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wright at jwu.edu 
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73



> Bruce,
> 
> We tested Bluesocket and found that it worked okay.  We did 
> not do much
> throughput testing.
> 
> However, we found that Bluesocket is really just a PC with a
> stripped down Linux kernel on it.  Then we found that there was a
> free product called nocat (http://nocat.net) that did essentially
> the same thing. Also, I've heard there are some real security
> problems with 
> Bluesocket,
> which is one reason we went with nocat....
> 
> We have nocat installed and average about 10-15 wireless users per
> day with very few problems, and are committed to fixing the few 
> problems we
> do have.  
> 
> Hope this helps (even though it doesn't really address your
> questions :-) Let me know if you have any questions....
> 
> Paul Asadoorian, GCIA
> Brown University
> 115 Waterman St.
> Providence, RI 02912
> 401.863.7553
> 
> PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
> Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
> Web: http://www.pauldotcom.com 
> 
> > Our institution is currently evaluating Bluesocket's WG-2000
> > device as an answer for managing and controlling our existing
> > wired residential network and any future wireless networks.
> > 
> > I was wondering if anyone on this mailing list has any experience
> > with this device on either a "ResNet" type network or a large
> > deployed wireless network with more then a few users.
> > 
> > I would appreciate any comments unisog members may have about 
> > Bluesocket
> > devices.  

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPrKf8I/i/ArUS0pzEQIIqQCgiQGVfwa08/fYEjjlHD+JlNfkK70An3bx
8JT963oOn68uCi+iRlYXjdmt
=PhSA
-----END PGP SIGNATURE-----



More information about the unisog mailing list