What's the current "best" way to secure a wireless network?

Hi folks,
I'm new to wireless, and it seems like the current "best" way to secure
my wireless network is to use WPA2. Coming from a "wired" network
background, I tend to think the best way to secure a network (at least
a hard wired network) is to is to set up a VPN or use IPSec between
clients, but I don't know if such an option is available in the
wireless arena? From what I gather, it is possible to crack WPA2 using
programs that can capture enough IVs, etc.

Anyway, can anyone offer a suggestion on what's the best way,
currently, to secure my wireless LAN?

Thanks,
Craig

"Craig" <craigcaughlin@gmail.com> hath wroth:

>I'm new to wireless, and it seems like the current "best" way to secure
>my wireless network is to use WPA2.

Correct. Once you have uncrackable encryption, all the other security
features offer little additional security.

>Coming from a "wired" network
>background, I tend to think the best way to secure a network (at least
>a hard wired network) is to is to set up a VPN or use IPSec between
>clients, but I don't know if such an option is available in the
>wireless arena?

With a VPN, you could run a wide open (un-encrypted) network, and
still have adequate security.

802.11 wireless is all bridging. 802.11 wireless packets encapsulate
802.3 ethernet packets. At the wireless level, it's all layer 2 and
no IP addresses (except for managment). Therefore, any of the Layer 3
security features (SSH, SSL, VPN, etc) will work with a router that
has VPN pass through enabled. There are even wireless routers
available that will terminate a VPN in the router (Netgear, Sonicwall,
etc).

>From what I gather, it is possible to crack WPA2 using
>programs that can capture enough IVs, etc.

Wrong. That's for cracking WEP, not WPA. WPA is considered secure
with non-dictionary keys longer than 20 characters.
http://wifinetnews.com/archives/002452.html

>Anyway, can anyone offer a suggestion on what's the best way,
>currently, to secure my wireless LAN?

Are you sure you want the "best" way or do you want just whatever is
adequate for your unstated purpose? The "best" is using WPA2-AES with
X.509 certificates for authentication on a RADIUS server, with
removable USB dongles, that also support S-Key one time key
generation, through an IPSec VPN, and an IDS (intrusion detection
sysetem) on the router. Not only will the "best" be uncrackable, it
may also be unuseable and slow. Are you sure you really want this?

More reasonable is just nailing down the WPA2 encryption. The obvious
problem is that the shared WPA key can be leaked or stolen. That will
compromise the entire system. The answer is to use WPA2-RADIUS (also
known as WPA2-Enterprise) which uses a RADIUS server to assign one
time encryption keys for each user and each session. As long as WPA2
remains uncrackable in realtime, you're safe.

All the other security band-aids are in my never humble opinion
worthless. (SSID hiding, MAC filters, IP filters, limited DHCP,
obscure IP's, etc).
See the FAQ at:
| http://wireless.wikia.com/wiki/Wi-Fi#Wi-Fi_Security

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Hey thanks for the reply Jeff.

Hmmm, unless I'm misinterpreting something...I think WPA2 can now be
cracked via "coWPAtty". Check out: http://churchofwifi.org/ where they
say "For Defcon 14, we added WPA2 cracking capabilities."

Am I wrong???

Thank you for your feedback. :-)

Craig


Jeff Liebermann wrote:
> "Craig" <craigcaughlin@gmail.com> hath wroth:
>
> >I'm new to wireless, and it seems like the current "best" way to secure
> >my wireless network is to use WPA2.
>
> Correct. Once you have uncrackable encryption, all the other security
> features offer little additional security.
>
> >Coming from a "wired" network
> >background, I tend to think the best way to secure a network (at least
> >a hard wired network) is to is to set up a VPN or use IPSec between
> >clients, but I don't know if such an option is available in the
> >wireless arena?
>
> With a VPN, you could run a wide open (un-encrypted) network, and
> still have adequate security.
>
> 802.11 wireless is all bridging. 802.11 wireless packets encapsulate
> 802.3 ethernet packets. At the wireless level, it's all layer 2 and
> no IP addresses (except for managment). Therefore, any of the Layer 3
> security features (SSH, SSL, VPN, etc) will work with a router that
> has VPN pass through enabled. There are even wireless routers
> available that will terminate a VPN in the router (Netgear, Sonicwall,
> etc).
>
> >From what I gather, it is possible to crack WPA2 using
> >programs that can capture enough IVs, etc.
>
> Wrong. That's for cracking WEP, not WPA. WPA is considered secure
> with non-dictionary keys longer than 20 characters.
> http://wifinetnews.com/archives/002452.html
>
> >Anyway, can anyone offer a suggestion on what's the best way,
> >currently, to secure my wireless LAN?
>
> Are you sure you want the "best" way or do you want just whatever is
> adequate for your unstated purpose? The "best" is using WPA2-AES with
> X.509 certificates for authentication on a RADIUS server, with
> removable USB dongles, that also support S-Key one time key
> generation, through an IPSec VPN, and an IDS (intrusion detection
> sysetem) on the router. Not only will the "best" be uncrackable, it
> may also be unuseable and slow. Are you sure you really want this?
>
> More reasonable is just nailing down the WPA2 encryption. The obvious
> problem is that the shared WPA key can be leaked or stolen. That will
> compromise the entire system. The answer is to use WPA2-RADIUS (also
> known as WPA2-Enterprise) which uses a RADIUS server to assign one
> time encryption keys for each user and each session. As long as WPA2
> remains uncrackable in realtime, you're safe.
>
> All the other security band-aids are in my never humble opinion
> worthless. (SSID hiding, MAC filters, IP filters, limited DHCP,
> obscure IP's, etc).
> See the FAQ at:
> | http://wireless.wikia.com/wiki/Wi-Fi#Wi-Fi_Security
>
> --
> Jeff Liebermann jeffl@comix.santa-cruz.ca.us
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558

On 28 Sep 2006 15:58:22 -0700, "Craig" <craigcaughlin@gmail.com>
wrote:

>Hmmm, unless I'm misinterpreting something...I think WPA2 can now be
>cracked via "coWPAtty". Check out: http://churchofwifi.org/ where they
>say "For Defcon 14, we added WPA2 cracking capabilities."
>
>Am I wrong???

I wish you wouldn't do that. I just wasted over an hour surfing all
the new projects on the ChurchofWiFi web pile. Lots of nifty ideas.
It's difficult to resist temptation.

coWPAtty is a brute force dictionary attack tool. It tries various
keys from a list of common passwords on a capture file. Recently, it
has been sped up substantially by the release of a list of pre-hashed
dictionary words. The hash file is currently 7 GBytes big. Since the
key exchange algorithm is the same for WPA1 and WPA2, adding WPA2
support to 4.0 was not a big deal.
| http://www.churchofwifi.org/default....lay.asp?PID=95

How it works:
| http://www.wirelessdefence.org/Conte...WPAttyMain.htm

The basic idea is to NOT use words that are in a dictionary. The more
obscure and the longer the key, the better.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

Den Fri, 29 Sep 2006 00:59:15 +0000. skrev Jeff Liebermann:


> I wish you wouldn't do that. I just wasted over an hour surfing all
> the new projects on the ChurchofWiFi web pile. Lots of nifty ideas.
> It's difficult to resist temptation.

We aim to please at the CoWF ;)
Jeff, feel free to join up at the CoWF if you got any projects or ideas of
your own, that you'd like to get going, or if you feel that there are some
projects you'd like to participate in.

J.D. "Dutch" Schmidt
Forum moderator, NetStumbler.org.
CoWF founding member.

On Fri, 29 Sep 2006 00:59:15 GMT, Jeff Liebermann
<jeffl@comix.santa-cruz.ca.us> wrote:
: On 28 Sep 2006 15:58:22 -0700, "Craig" <craigcaughlin@gmail.com>
: wrote:
:
: >Hmmm, unless I'm misinterpreting something...I think WPA2 can now be
: >cracked via "coWPAtty". Check out: http://churchofwifi.org/ where they
: >say "For Defcon 14, we added WPA2 cracking capabilities."
: >
: >Am I wrong???
:
: I wish you wouldn't do that. I just wasted over an hour surfing all
: the new projects on the ChurchofWiFi web pile. Lots of nifty ideas.
: It's difficult to resist temptation.
:
: coWPAtty is a brute force dictionary attack tool. It tries various
: keys from a list of common passwords on a capture file. Recently, it
: has been sped up substantially by the release of a list of pre-hashed
: dictionary words. The hash file is currently 7 GBytes big. Since the
: key exchange algorithm is the same for WPA1 and WPA2, adding WPA2
: support to 4.0 was not a big deal.
: | http://www.churchofwifi.org/default....lay.asp?PID=95
:
: How it works:
: | http://www.wirelessdefence.org/Conte...WPAttyMain.htm
:
: The basic idea is to NOT use words that are in a dictionary. The more
: obscure and the longer the key, the better.

I agree, up to a point. If your key consists of a single word or phrase that
could appear in a dictionary or word inventory, in any common language, you're
probably deluding yourself. But if you have a reasonably long phrase that you
can remember and that is easy to type without errors, you probably don't have
to deviate from it much in order to be safe. Good encryption algorithms (and
presumably WPA2/AES is one such) randomize the entire key as a single entity,
rather than treating its constituent parts, if any, separately. So if you
modify your phrase with a couple of unlikely misspellings, the encrypted forms
of the original and modified phrases should be entirely different, and the
modified phrase should be highly resistant to a brute-force attack.

You'll often see assertions that the key itself should be 20 or 30 characters
long and as random as you can make it. But such a key cannot possibly be
remembered and will therefore be written down, making it much more subject to
compromise. I read an article recently pointing out that using a memorable (vs
highly random) WPA passphrase increases your susceptibility to a brute-force
attack by six orders of magnitude! What the article also admitted, but only
obliquely, was that the actual decrease in the time necessary to crack the
encryption was from 100,000,000,000,000,000,000,000 times the age of the known
universe to "only" 100,000,000,000,000,000 times. Yes, that is six orders of
magnitude, but who cares?

Yes, a trivial WPA passphrase can be cracked. But until someone proves that he
can crack a passphrase that I've chosen, I'm not going to lose any sleep over
it.

Bob

Jeff Liebermann wrote:
> On 28 Sep 2006 15:58:22 -0700, "Craig" <craigcaughlin@gmail.com>
> wrote:
>
>> Hmmm, unless I'm misinterpreting something...I think WPA2 can now be
>> cracked via "coWPAtty". Check out: http://churchofwifi.org/ where
>> they
>> say "For Defcon 14, we added WPA2 cracking capabilities."
>>
>> Am I wrong???

Instead of looking at this as just a cracking tool could it be used to test
the vulnerability of the WPA2 passwork we have selected?
--
<Bill>

Brought to you from Anchorage, Alaska.

e-teori <lyngbytest_nospam_@_nospam_business.tele.dk> hath wroth:

>Den Fri, 29 Sep 2006 00:59:15 +0000. skrev Jeff Liebermann:
>> I wish you wouldn't do that. I just wasted over an hour surfing all
>> the new projects on the ChurchofWiFi web pile. Lots of nifty ideas.
>> It's difficult to resist temptation.

>We aim to please at the CoWF ;)
>
>Jeff, feel free to join up at the CoWF if you got any projects or ideas of
>your own, that you'd like to get going, or if you feel that there are some
>projects you'd like to participate in.

Thanks, but I already have far too many projects that I should be
working on. I'm also a lousy programmer and don't collaborate very
well. However, if you have any RF/wireless/radio related questions,
feel free to bug me.

>J.D. "Dutch" Schmidt
>Forum moderator, NetStumbler.org.
>CoWF founding member.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558