Who's on first? Wireless network security with Linux

David M Williams
Monday, 05 November 2007 18:38

Business IT - Open Source

There’s a terrific tool for watching network bandwidth called EtherApe. It gives a graphical view of the volume of traffic from individual machines, along with breakdowns by protocol.

Download EtherApe from SourceForge. http://etherape.sourceforge.net It listens to your network and identifies the load on the network, along with detail on the makeup of the traffic. The source and destination of current network activity, with the protocol being used, is displayed in a very nice visual manner.

Where EtherApe comes in really handy is identifying the source of network problems and in determining the cause of bandwidth and traffic issues. The SourceForge site also hosts some sample screen shots showing the evolution of EtherApe’s main display. Be sure to check out the FAQ for help on making sure EtherApe can see all the traffic on your subnet and not just its own communications.

EtherApe’s analysis of protocols in use will give additional clues to unauthorised network usage. The more familiar you are with your network, the more you will know what is regular and expected. This includes DNS lookups and web traffic. Depending on your environment you might see SSH traffic – or, if you never use SSH yourself, the existence of SSH traffic can suggest hostile activity.

Similarly, if you never use peer-to-peer apps, the existence of LimeWire or Gnutella or BitTorrent traffic (among others) is a real giveaway that someone is leeching from you. As EtherApe shows the hosts involved, you can determine if the computer is internal to your network. It may still be a legitimate user, but possibly sucking up your bandwidth: here’s the evidence to confront them with it. Depending on the specific peer-to-peer app and the platform (ie Windows) you may also find it is heavily laden with spyware.

As good as EtherApe is, it needs to be watched to be useful. A terrific way to automate scans for this sort of traffic, whether you’re online or not, is with an intrusion detection system like snort, which is also a freely available open source package. We previously covered snort, including how it works under the hood and how to extend its facilities. Snort has signature files to identify all sorts of specific applications like these, and they will show in its output by name.

Summary

To sum up, a wireless network needs extra security considerations over a wired network because an attacker doesn’t require physical access. Additionally, your network can be disrupted without someone even needing to connect to it!

Key steps you can take to implement WiFi security include hiding the SSID, requiring a secure password, restricting access to listed MAC addresses and locating the access points as centrally as possible.

Be sure to identify the extent of your network signal, particularly the physical outer perimeter of your location. If you can see your network outside the office or home, so too can an attacker.

Use tools like EtherApe and snort as well as nmap to monitor your network and identify vulnerabilities as well as suspicious activity.