WPA2 or RADIUS more secure?

#1 (**permalink**) 10-25-2006, 09:35 PM

Hi

I have a query on Wireless security that I was hoping someone could
help with.

Most technical journals state that for enterprises/business, WLAN
security should comprise of a RADIUS server, PEAP encryption etc. WPA2
is reserved for SOHO.

However, what is the reason for this? Is it because maintaining a
passphrase in an enterprise is too much overhead, or actually because
the AES encryption used with WPA2 is insecure.

We would like to have a Wireless network in part of our office where
there are only about 4-5 people. In this case, building a RADIUS server
for such a small amount seems overkill when we can use WPA2 *unless*
RADIUS was actually more secure.

We were thinking of a combination of WPA2, MAC address filtering and
hiding the SSID, although we realise there are relatively
straighforward ways to bypass the last two.

Would be interested to know people's thoughts.

Thanks.

#2 (**permalink**) 10-26-2006, 12:29 AM

On 25 Oct 2006 13:35:45 -0700, dilan.weerasinghe@gmail.com wrote:

>Most technical journals state that for enterprises/business, WLAN
>security should comprise of a RADIUS server, PEAP encryption etc. WPA2
>is reserved for SOHO.
>
>However, what is the reason for this? Is it because maintaining a
>passphrase in an enterprise is too much overhead, or actually because
>the AES encryption used with WPA2 is insecure.

The reason for specifying both WPA and RADIUS is that they serve
different purposes. WPA is encryption. RADIUS, 802.1x, etc are for
authentication. The major connection is that RADIUS authentication
delivers a one-time, unique, WPA encryption key for each session. I
other words, you don't need a common company wide WPA encryption key
for the entire network which might leak out to evil hackers like me.

>We would like to have a Wireless network in part of our office where
>there are only about 4-5 people. In this case, building a RADIUS server
>for such a small amount seems overkill when we can use WPA2 *unless*
>RADIUS was actually more secure.

Agreed. However, you can subscribe to RADIUS servers/services on the
internet.
http://radiuz.net
http://www.linksys.com/wirelessguard/
etc...
Do it thyself:
http://www.tinypeap.com

>We were thinking of a combination of WPA2, MAC address filtering and
>hiding the SSID, although we realise there are relatively
>straighforward ways to bypass the last two.

Forget the MAC address filtering, SSID hiding, DHCP scope limiting,
reduced xmit power, and other wasted efforts. You're only real
protetction is encryption. Everything else just gets in the way.

As long as you don't have to deal with visitors, vendors, and
relatives bearing laptops, PDA's, and PDAphones with Wi-Fi, WPA2-PSK
is sufficient. The danger is having the system wide WPA encryption
key leak. If that's a possibility (i.e. the bosses son is an aspiring
hacker), then I would go for the WPA2-RADIUS solution. Also, you can
now get wireless access point and routers with RADIUS builtin. Try
Zyxel G-2000 plus.

>Would be interested to know people's thoughts.

http://wireless.wikia.com/wiki/Wi-Fi#Wi-Fi_Security

>Thanks.
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

#3 (**permalink**) 10-26-2006, 04:33 PM

On Oct 26, 12:29 am, Jeff Liebermann <j...@comix.santa-cruz.ca.us>
wrote:
> On 25 Oct 2006 13:35:45 -0700, dilan.weerasin...@gmail.com wrote:
>
> >Most technical journals state that for enterprises/business, WLAN
> >security should comprise of a RADIUS server, PEAP encryption etc. WPA2
> >is reserved for SOHO.
>
> >However, what is the reason for this? Is it because maintaining a
> >passphrase in an enterprise is too much overhead, or actually because
> >the AES encryption used with WPA2 is insecure.The reason for specifying both WPA and RADIUS is that they serve
> different purposes. WPA is encryption. RADIUS, 802.1x, etc are for
> authentication. The major connection is that RADIUS authentication
> delivers a one-time, unique, WPA encryption key for each session. I
> other words, you don't need a common company wide WPA encryption key
> for the entire network which might leak out to evil hackers like me.
>
> >We would like to have a Wireless network in part of our office where
> >there are only about 4-5 people. In this case, building a RADIUS server
> >for such a small amount seems overkill when we can use WPA2 *unless*
> >RADIUS was actually more secure.Agreed. However, you can subscribe to RADIUS servers/services on the
> internet.
> http://radiuz.net
> http://www.linksys.com/wirelessguard/
> etc...
> Do it thyself:
> http://www.tinypeap.com
>
> >We were thinking of a combination of WPA2, MAC address filtering and
> >hiding the SSID, although we realise there are relatively
> >straighforward ways to bypass the last two.Forget the MAC address filtering, SSID hiding, DHCP scope limiting,
> reduced xmit power, and other wasted efforts. You're only real
> protetction is encryption. Everything else just gets in the way.
>
> As long as you don't have to deal with visitors, vendors, and
> relatives bearing laptops, PDA's, and PDAphones with Wi-Fi, WPA2-PSK
> is sufficient. The danger is having the system wide WPA encryption
> key leak. If that's a possibility (i.e. the bosses son is an aspiring
> hacker), then I would go for the WPA2-RADIUS solution. Also, you can
> now get wireless access point and routers with RADIUS builtin. Try
> Zyxel G-2000 plus.
>
> >Would be interested to know people's thoughts. http://wireless.wikia.com/wiki/Wi-Fi#Wi-Fi_Security
>
> >Thanks.--
> # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
> # 831-336-2558 j...@comix.santa-cruz.ca.us
> #http://802.11junk.com j...@cruzio.com
> #http://www.LearnByDestroying.com AE6KS

Thanks Jeff.

Since the wireless LAN would only be for the use of a couple of people,
I see no reason why the PSK should leave the IT department, so I think
WPA2-PSK will
be our method.

#4 (**permalink**) 10-26-2006, 06:53 PM

dilan.weerasinghe@gmail.com hath wroth:

>Since the wireless LAN would only be for the use of a couple of people,
>I see no reason why the PSK should leave the IT department, so I think
>WPA2-PSK will
>be our method.

That should be fine if you have control over the various desktops,
laptops and PDA's. The problem is that the saved WPA key can be
easily extracted from the Windoze registry:
http://www.wirelessdefence.org/Conte..._WinWzcook.htm

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558