SLAN ("secure LAN", pronounced ess-LAN) is, simply put, yet another
virtual private networking system. It is not appropriately named since
it does not, by default, make an insecure, "sniffable" LAN,
secure. SLAN does, however, attempt to provide a secured link to the
Internet or larger network over an untrusted broadcast link such as a
802.11 wireless link or non-switched Ethernet.
The development of this project was motivated by the insufficient
security mechanisms built into the IEEE 802.11 wireless networking
standard. Lightlink Internet, a local ISP here in Ithaca, wants to
launch a city-wide and potentially larger 802.11 public wireless
network, yet still offer data privacy for its customers even though
their data is being broadcast over radio waves to, more or less, the
entire city.
The SLAN project was created and developed to provide an easily
changeable (or rather, fixable and upgradeable -- we should all know
that real network security is a continuous effort, not a one-stop
shop), open-source, software solution to this problem, providing
client authentication, server/service authentication, data privacy
(encryption) and integrity (MAC) using per-session per-user short life
keys (as opposed to long term shared secrets like a WEP password), and
ability to add any feasible features that the client or service
provider finds useful and convenient, such as bandwidth
accounting,account status, network status, etc.
The resulting development is a virtual private network system,
designed mostly with the intent to protect the link between the
client's machine and the service provider's internal networking
infrastructure which is assumed (for the context of this project
anyway) to be physically secure against privacy violations. SLAN DOES
NOT PROTECT YOUR DATA ON THE INTERNET. However, the current design is
flexible enough that it could be used for secured remote access
through the Internet to a company or organization's private internal
network, the way most other VPN implementations are intended to work.
Our focus however was the link between the service provider's
physically secured backbone network and the client, which for us, is a
broadcast medium requiring very little effort or expense for a passive
adversary to eavesdrop.