Until I get around to it, heres the email I posted to the list already:
For those who've been on the list the whole time and have heard my babbling before, you can ignore this - it's the public consumption version of what I posted when the list first started, theres nothing new other than the pictures.
Fun facts about wireless: - You can't prevent someone from spoofing an AP and maintain widespread
compatability. (Pedantically, there is mutual auth stuff now but we can't rely on the Great Unwashed to be able to support it, so it's not an option here.)
- You can't prevent someone from exploiting holes in the 802.11 protocol and
shutting down an existing lan.
- People will bring up their own APs that attempt to do MITM or just attract
clients and can't route them. This is bad for the users. I'm less worried about preventing MITM (if users are dumb enough to not encrypt or not preshare keys, their problem.)
How can we mitigate these problems? - Heavy coverage. If a user can pick from 8 valid networks in a given area,
the kiddies will have to knock out 8 of them for use to lose connectivity in a region.
- Intelligent APs. We can't rely on consumer stuff for this, the wireless has
to be dynamic enough to respond to these problems.
- Multiple channels per AP. Each AP is going to have 2 data cards on
nonoverlapping channels, plus a monitoring card for observation.
Stuff the APs will be smart about: - Detecting other networks with our SSID - Detecting attepts to spoof our MAC addresses - Bouncing users off of the spoofed networks so that they reattach to the legit
- Detecting and recording attacks against networks - Dynamically reorganizing the channels to avoid noise, attacks, etc while
coordinating minimally-overlapping channels between APs
- Dynamically shifting BSSIDs if too many are being attacked - Reporting status, attacks, etc to the NOC - Coordination between APs to prevent, as someone put it, "all out war" of too
many APs dropping into retaliation mode.
AP locations based off the site surveys done during the hotel walkthrough: Floor 2 - floor-2.jpg [br] Surprisingly, the pillars on floor 2 have minimal impact on wireless. 4 APs will give 8 nonoverlapping channels of coverage for all of floor 2.
Floor 18 - 18-floor-ap.gif
Floor 18 is "funny", and not in the "ha-ha" way. The main ballrooms were given more APs than their size might otherwise imply, due to the general concensus that there were likely to be a number of users on the wireless at the talks in the big ball rooms. The other APs are necessary due to interference and range limitations.
Floor 18 ranges: 18-floor-ap-range.gif Rough approximation of coverage ranges on floor 18.
This isn't final yet, but the current hardware involves mast mount boxes, isa-pcmcia bridges, and 3 200mW cards. Photos of the semi-assembled prototype:
The software is going to be a combination of hostap, a slightly modified Kismet, and a bunch of custom code to tie the APs to the NOC via peer auth. The NOC link will combine monitoring and manual control if necessary. The software will also have fallbacks to dumb-ap mode, if all the smart functions fail we won't be sunk.
The software is actually less complex than it may sound - all the individual pieces are already done among various projects of mine, all that remains is tying them all together and writing a few specialized components.