Go Back   Wireless and Wifi Forums > News > Newsgroups > alt.internet.wireless
Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 09-28-2006, 03:59 PM
Craig
Guest
 
Posts: n/a
Default What's the current "best" way to secure a wireless network?

Hi folks,
I'm new to wireless, and it seems like the current "best" way to secure
my wireless network is to use WPA2. Coming from a "wired" network
background, I tend to think the best way to secure a network (at least
a hard wired network) is to is to set up a VPN or use IPSec between
clients, but I don't know if such an option is available in the
wireless arena? From what I gather, it is possible to crack WPA2 using
programs that can capture enough IVs, etc.

Anyway, can anyone offer a suggestion on what's the best way,
currently, to secure my wireless LAN?

Thanks,
Craig


Reply With Quote
  #2 (permalink)  
Old 09-28-2006, 04:28 PM
Jeff Liebermann
Guest
 
Posts: n/a
Default Re: What's the current "best" way to secure a wireless network?

"Craig" <craigcaughlin@gmail.com> hath wroth:

>I'm new to wireless, and it seems like the current "best" way to secure
>my wireless network is to use WPA2.


Correct. Once you have uncrackable encryption, all the other security
features offer little additional security.

>Coming from a "wired" network
>background, I tend to think the best way to secure a network (at least
>a hard wired network) is to is to set up a VPN or use IPSec between
>clients, but I don't know if such an option is available in the
>wireless arena?


With a VPN, you could run a wide open (un-encrypted) network, and
still have adequate security.

802.11 wireless is all bridging. 802.11 wireless packets encapsulate
802.3 ethernet packets. At the wireless level, it's all layer 2 and
no IP addresses (except for managment). Therefore, any of the Layer 3
security features (SSH, SSL, VPN, etc) will work with a router that
has VPN pass through enabled. There are even wireless routers
available that will terminate a VPN in the router (Netgear, Sonicwall,
etc).

>From what I gather, it is possible to crack WPA2 using
>programs that can capture enough IVs, etc.


Wrong. That's for cracking WEP, not WPA. WPA is considered secure
with non-dictionary keys longer than 20 characters.
http://wifinetnews.com/archives/002452.html

>Anyway, can anyone offer a suggestion on what's the best way,
>currently, to secure my wireless LAN?


Are you sure you want the "best" way or do you want just whatever is
adequate for your unstated purpose? The "best" is using WPA2-AES with
X.509 certificates for authentication on a RADIUS server, with
removable USB dongles, that also support S-Key one time key
generation, through an IPSec VPN, and an IDS (intrusion detection
sysetem) on the router. Not only will the "best" be uncrackable, it
may also be unuseable and slow. Are you sure you really want this?

More reasonable is just nailing down the WPA2 encryption. The obvious
problem is that the shared WPA key can be leaked or stolen. That will
compromise the entire system. The answer is to use WPA2-RADIUS (also
known as WPA2-Enterprise) which uses a RADIUS server to assign one
time encryption keys for each user and each session. As long as WPA2
remains uncrackable in realtime, you're safe.

All the other security band-aids are in my never humble opinion
worthless. (SSID hiding, MAC filters, IP filters, limited DHCP,
obscure IP's, etc).
See the FAQ at:
| http://wireless.wikia.com/wiki/Wi-Fi#Wi-Fi_Security

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Reply With Quote
  #3 (permalink)  
Old 09-28-2006, 10:58 PM
Craig
Guest
 
Posts: n/a
Default Re: What's the current "best" way to secure a wireless network?

Hey thanks for the reply Jeff.

Hmmm, unless I'm misinterpreting something...I think WPA2 can now be
cracked via "coWPAtty". Check out: http://churchofwifi.org/ where they
say "For Defcon 14, we added WPA2 cracking capabilities."

Am I wrong???

Thank you for your feedback. :-)

Craig


Jeff Liebermann wrote:
> "Craig" <craigcaughlin@gmail.com> hath wroth:
>
> >I'm new to wireless, and it seems like the current "best" way to secure
> >my wireless network is to use WPA2.

>
> Correct. Once you have uncrackable encryption, all the other security
> features offer little additional security.
>
> >Coming from a "wired" network
> >background, I tend to think the best way to secure a network (at least
> >a hard wired network) is to is to set up a VPN or use IPSec between
> >clients, but I don't know if such an option is available in the
> >wireless arena?

>
> With a VPN, you could run a wide open (un-encrypted) network, and
> still have adequate security.
>
> 802.11 wireless is all bridging. 802.11 wireless packets encapsulate
> 802.3 ethernet packets. At the wireless level, it's all layer 2 and
> no IP addresses (except for managment). Therefore, any of the Layer 3
> security features (SSH, SSL, VPN, etc) will work with a router that
> has VPN pass through enabled. There are even wireless routers
> available that will terminate a VPN in the router (Netgear, Sonicwall,
> etc).
>
> >From what I gather, it is possible to crack WPA2 using
> >programs that can capture enough IVs, etc.

>
> Wrong. That's for cracking WEP, not WPA. WPA is considered secure
> with non-dictionary keys longer than 20 characters.
> http://wifinetnews.com/archives/002452.html
>
> >Anyway, can anyone offer a suggestion on what's the best way,
> >currently, to secure my wireless LAN?

>
> Are you sure you want the "best" way or do you want just whatever is
> adequate for your unstated purpose? The "best" is using WPA2-AES with
> X.509 certificates for authentication on a RADIUS server, with
> removable USB dongles, that also support S-Key one time key
> generation, through an IPSec VPN, and an IDS (intrusion detection
> sysetem) on the router. Not only will the "best" be uncrackable, it
> may also be unuseable and slow. Are you sure you really want this?
>
> More reasonable is just nailing down the WPA2 encryption. The obvious
> problem is that the shared WPA key can be leaked or stolen. That will
> compromise the entire system. The answer is to use WPA2-RADIUS (also
> known as WPA2-Enterprise) which uses a RADIUS server to assign one
> time encryption keys for each user and each session. As long as WPA2
> remains uncrackable in realtime, you're safe.
>
> All the other security band-aids are in my never humble opinion
> worthless. (SSID hiding, MAC filters, IP filters, limited DHCP,
> obscure IP's, etc).
> See the FAQ at:
> | http://wireless.wikia.com/wiki/Wi-Fi#Wi-Fi_Security
>
> --
> Jeff Liebermann jeffl@comix.santa-cruz.ca.us
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558



Reply With Quote
  #4 (permalink)  
Old 09-29-2006, 12:59 AM
Jeff Liebermann
Guest
 
Posts: n/a
Default Re: What's the current "best" way to secure a wireless network?

On 28 Sep 2006 15:58:22 -0700, "Craig" <craigcaughlin@gmail.com>
wrote:

>Hmmm, unless I'm misinterpreting something...I think WPA2 can now be
>cracked via "coWPAtty". Check out: http://churchofwifi.org/ where they
>say "For Defcon 14, we added WPA2 cracking capabilities."
>
>Am I wrong???


I wish you wouldn't do that. I just wasted over an hour surfing all
the new projects on the ChurchofWiFi web pile. Lots of nifty ideas.
It's difficult to resist temptation.

coWPAtty is a brute force dictionary attack tool. It tries various
keys from a list of common passwords on a capture file. Recently, it
has been sped up substantially by the release of a list of pre-hashed
dictionary words. The hash file is currently 7 GBytes big. Since the
key exchange algorithm is the same for WPA1 and WPA2, adding WPA2
support to 4.0 was not a big deal.
| http://www.churchofwifi.org/default....lay.asp?PID=95

How it works:
| http://www.wirelessdefence.org/Conte...WPAttyMain.htm

The basic idea is to NOT use words that are in a dictionary. The more
obscure and the longer the key, the better.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

Reply With Quote
  #5 (permalink)  
Old 09-29-2006, 08:18 AM
e-teori
Guest
 
Posts: n/a
Default Re: What's the current "best" way to secure a wireless network?

Den Fri, 29 Sep 2006 00:59:15 +0000. skrev Jeff Liebermann:


> I wish you wouldn't do that. I just wasted over an hour surfing all
> the new projects on the ChurchofWiFi web pile. Lots of nifty ideas.
> It's difficult to resist temptation.


We aim to please at the CoWF ;)
Jeff, feel free to join up at the CoWF if you got any projects or ideas of
your own, that you'd like to get going, or if you feel that there are some
projects you'd like to participate in.

J.D. "Dutch" Schmidt
Forum moderator, NetStumbler.org.
CoWF founding member.



Reply With Quote
  #6 (permalink)  
Old 09-29-2006, 01:49 PM
Robert Coe
Guest
 
Posts: n/a
Default Re: What's the current "best" way to secure a wireless network?

On Fri, 29 Sep 2006 00:59:15 GMT, Jeff Liebermann
<jeffl@comix.santa-cruz.ca.us> wrote:
: On 28 Sep 2006 15:58:22 -0700, "Craig" <craigcaughlin@gmail.com>
: wrote:
:
: >Hmmm, unless I'm misinterpreting something...I think WPA2 can now be
: >cracked via "coWPAtty". Check out: http://churchofwifi.org/ where they
: >say "For Defcon 14, we added WPA2 cracking capabilities."
: >
: >Am I wrong???
:
: I wish you wouldn't do that. I just wasted over an hour surfing all
: the new projects on the ChurchofWiFi web pile. Lots of nifty ideas.
: It's difficult to resist temptation.
:
: coWPAtty is a brute force dictionary attack tool. It tries various
: keys from a list of common passwords on a capture file. Recently, it
: has been sped up substantially by the release of a list of pre-hashed
: dictionary words. The hash file is currently 7 GBytes big. Since the
: key exchange algorithm is the same for WPA1 and WPA2, adding WPA2
: support to 4.0 was not a big deal.
: | http://www.churchofwifi.org/default....lay.asp?PID=95
:
: How it works:
: | http://www.wirelessdefence.org/Conte...WPAttyMain.htm
:
: The basic idea is to NOT use words that are in a dictionary. The more
: obscure and the longer the key, the better.

I agree, up to a point. If your key consists of a single word or phrase that
could appear in a dictionary or word inventory, in any common language, you're
probably deluding yourself. But if you have a reasonably long phrase that you
can remember and that is easy to type without errors, you probably don't have
to deviate from it much in order to be safe. Good encryption algorithms (and
presumably WPA2/AES is one such) randomize the entire key as a single entity,
rather than treating its constituent parts, if any, separately. So if you
modify your phrase with a couple of unlikely misspellings, the encrypted forms
of the original and modified phrases should be entirely different, and the
modified phrase should be highly resistant to a brute-force attack.

You'll often see assertions that the key itself should be 20 or 30 characters
long and as random as you can make it. But such a key cannot possibly be
remembered and will therefore be written down, making it much more subject to
compromise. I read an article recently pointing out that using a memorable (vs
highly random) WPA passphrase increases your susceptibility to a brute-force
attack by six orders of magnitude! What the article also admitted, but only
obliquely, was that the actual decrease in the time necessary to crack the
encryption was from 100,000,000,000,000,000,000,000 times the age of the known
universe to "only" 100,000,000,000,000,000 times. Yes, that is six orders of
magnitude, but who cares?

Yes, a trivial WPA passphrase can be cracked. But until someone proves that he
can crack a passphrase that I've chosen, I'm not going to lose any sleep over
it.

Bob

Reply With Quote
  #7 (permalink)  
Old 09-29-2006, 06:28 PM
Bill Bradshaw
Guest
 
Posts: n/a
Default Re: What's the current "best" way to secure a wireless network?

Jeff Liebermann wrote:
> On 28 Sep 2006 15:58:22 -0700, "Craig" <craigcaughlin@gmail.com>
> wrote:
>
>> Hmmm, unless I'm misinterpreting something...I think WPA2 can now be
>> cracked via "coWPAtty". Check out: http://churchofwifi.org/ where
>> they
>> say "For Defcon 14, we added WPA2 cracking capabilities."
>>
>> Am I wrong???


Instead of looking at this as just a cracking tool could it be used to test
the vulnerability of the WPA2 passwork we have selected?
--
<Bill>

Brought to you from Anchorage, Alaska.




Reply With Quote
  #8 (permalink)  
Old 09-30-2006, 02:29 AM
Jeff Liebermann
Guest
 
Posts: n/a
Default Re: What's the current "best" way to secure a wireless network?

e-teori <lyngbytest_nospam_@_nospam_business.tele.dk> hath wroth:

>Den Fri, 29 Sep 2006 00:59:15 +0000. skrev Jeff Liebermann:
>> I wish you wouldn't do that. I just wasted over an hour surfing all
>> the new projects on the ChurchofWiFi web pile. Lots of nifty ideas.
>> It's difficult to resist temptation.


>We aim to please at the CoWF ;)
>
>Jeff, feel free to join up at the CoWF if you got any projects or ideas of
>your own, that you'd like to get going, or if you feel that there are some
>projects you'd like to participate in.


Thanks, but I already have far too many projects that I should be
working on. I'm also a lousy programmer and don't collaborate very
well. However, if you have any RF/wireless/radio related questions,
feel free to bug me.

>J.D. "Dutch" Schmidt
>Forum moderator, NetStumbler.org.
>CoWF founding member.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Reply With Quote
Reply


« I need a new wireless toy... | Powerline ethernet adapters any good? Difference in powerline speed over direct connect Wireless? »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure Wireless for non-public network, Windows Server 2003 R2, Linksys APs bjriffel@hotmail.com alt.internet.wireless 3 01-25-2007 04:04 PM
Speedtouch 576 hangs at "Acquiring Network Address" Wireless Ali Chambers alt.internet.wireless 3 09-22-2006 12:19 AM
How to share wired Internet connection in hotel using two wireless PCs Cindy alt.internet.wireless 33 09-10-2006 02:52 AM
wireless network Jim alt.internet.wireless 5 08-21-2006 03:49 AM


All times are GMT. The time now is 03:29 AM.



Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45