State of Secure Wireless Networking? 45
Mr. Sketch asks: "At my office, they want me to add a wireless network and it seems like it could be possible to do it in a secure way, but I'm not 100% confident. The setup I was thinking of was 802.11g only (no backward 802.11b compatibility), WPA-PSK with AES encryption with a 15 character password consisting of upper and lower case letters and numbers and special characters, MAC filtering, no ssid broadcast, and no default anything (ssid, passwords, etc). How secure would this network be? What type of attacks would it be vulnerable to? I haven't found any tools to crack AES, only WEP, does that mean it's secure or I just that I haven't looked hard enough? I want the wireless computers to still be able to access the computers on our network, in fact ideally, I just want it to be a wireless extension of our wired network, but only if it's secure enough. I'm sure there are plenty of other companies who want to add wireless to their network, but want to be reasonably confident that it will be secure and are unsure of the current state of wireless security."
tell me your SSID, password, subnet info, (Score:5, Funny)
or just use IPSec on your whole network ? (Score:2)
or just on the wireless network and use a gateway
Why is this so hard ?
regards
John Jones
Lock the door (Score:1)
The same as it was last week... (Score:4, Interesting)
Re:The same as it was last week... (Score:5, Informative)
Re:The same as it was last week... (Score:3, Insightful)
Even if you go with a commercial VPN solution, with dedicated/specialized hardware, you would still have vendor independence with the APs... Since you could run multiple VPNs you have a nice upgrade path too. If you rely on the APs, then to upgrade you at best would have to flash every AP you have, or if thats not possible, replace all of them.
My theory is to use the stupidest possib
Re:The same as it was last week... (Score:5, Informative)
Whatever you do, don't use hardware solutions. Ever had a flash update fail on a router? Try explaining why nobody can connect because the APs ROM is toasted, and that it will be three days before a new ROM comes in. Hardware security solutions have just as many errors (if not more) as software ones, but they are a hell of a lot worse to update. Don't trust them, and you likely won't have to deal with them. Also, sometimes it's best to go with a product that less well-known (i.e. NOT Cisco, Linksys, RealSecure (laughs), Internet Security Solutions (laughs again), Microsoft, Microsoft, Microsoft....), since you won't see an exploit that has 500,000 machines attacking your network within two hours of the release of the patch (or before). I have had to fix two security issues with my FreeBSD box since it went in, and only one required a 2 minute service outage (reboot).
Re:The same as it was last week... (Score:4, Informative)
Public shared keys as used with WPA-PSK are difficult to manage and generally a bad idea. Consider the following: A laptop is lost or stolen. If WPA-PSK is used, the password on every wireless client must now be changed. This is not a quick and easy task. If a VPN with certificated based authentication is used instead, only one certificate needs to be revoked. Revokeing a certificate is a trivial task.
There is one advantage to WEP or WPA. Useing either will keep the wardriving kiddies away.
Regarding AES:
While AES is better then the RC4 algorithm used in WEP, it dosen't mean that a product using AES will be more secure. RC4 is not the problem with WEP. The poor implementation of RC4 is the problem. Specially WEP allows known weak keys. A poor implementation of AES could also be vulvnerable to attack. This is a big problem with encryption. Too many people see a product's buzzword compliant encryption algorithms and assume this makes the product secure. Any idiot can use encryption, but it takes a smart developer to use encryption properly.
Re:The same as it was last week... (Score:3, Insightful)
My main problem with WEP is it's silly to use outside of a group of about 10 people. After that you really need to use rotating keys that are different for each person, otherwise when some employee leaves your company then everyone's changing their WEP key. It just doesn't
Security (Score:5, Informative)
AES itself is considered a strong encryption technology. How secure it will be for a WiFi connection is anyone's bet. It is the approved NIST standard. (US centric) see http://csrc.nist.gov/CryptoToolkit/aes for more information.
You could enhance it by putting in an SSH VPN to a seprate box on your network.
Connect your AP to the network through a firewall that only allows the SSH tunnel to communicate with the tunnel server, and drops all other traffic. The ap would provide it's own DHCP server to eliminate unnecessary load on the firewall.
Then again, I work in an environment where we do not allow any wireless networking.
-Rusty
What about ad hoc problems? (Score:3, Interesting)
Re:What about ad hoc problems? (Score:1)
Re:What about ad hoc problems? (Score:3, Insightful)
If you don't have control over every (wired or wireless) computer connected to your network, outsiders could be able to connect to it. This problem is not restricted to the wireless
secure (Score:5, Informative)
You should map the network, understand where the signal reaches and try to tune the power to only go where you want it.
If you are paranoid enough to want to try all of the layers of encryption, and you should be, its fun to do. Then go with the setup you have and put IPSEC on top, that will make it at least as secure as your wired side. Be aware that you won't get anywhere near 54MBs with all of the encryption loading down the system, so it will be slow.
I am not aware of any attacks that could brute force this setup, but it would be easier for someone to socially engineer it, MAC addresses can be cloned, VPN logins stolen, so some form of automated monitoring would be nice, checking for duplicate logins, unauthorized times. Why is Bob trying to authenticate at 3AM? That kind of stuff.
Re:secure (Score:4, Funny)
Re:secure (Score:4, Funny)
Then I tried to social engineer the secretary to give me some passwords. I did manage to get some numbers from her, but they turned out to be her measurements (5'4, 120 lb, 34, 22, 33) and her phone number.
My conclusion is that it is impossible to gain access to their computer network. And that I don't really care anymore.
Re:secure (Score:2)
Why not use a VPN (Score:2, Insightful)
This gives you bomb-proof security using proven technology, avoids key distribution problems and allows you to upgrade the wireless infrastructure with less effort.
http://www.nortelnetworks.com/products/01/contivit y/
Re:Why not use a VPN (Score:1)
Re:Why not use a VPN (Score:1)
You link up all the access points to switches, which in turn pass packets up to the Contivity box. The Contivity box acts like a kind of bridge between the insecure wireless network and your secure LAN. You will also need a DHCP server on the wireless network.
It's best if you can get your switches NOT to pass packets between the access points so an intruder can't attempt to access your mobile laptops.
At the risk of getting fl
Re:Why not use a VPN (Score:1)
Re:Why not use a VPN (Score:1)
Re:Why not use a VPN (Score:1)
of a Contivity box is if you give all your clients
a certificate.
The password option-- which most everyone deploys--
is insecure.
It uses a shared password in the IKE exchange and
then does an ineffectual username/password authentication.
It's ineffectual because it is not bound to the
phase 1 IKE exchange. The keys derived from phase 1
and phase 2 in IKE will not be authenticated and
therefore the security guarantee that IPsec gives
you has just been voided.
Really
WPA-PSK (Score:5, Interesting)
Don't foget reliability. (Score:3, Interesting)
I'm running a small WISP and have found that some radios can crash my access points. Make sure you get a real good AP, like Cisco or something. I've use the cheap ones. Linksys, D-Link, and I end up having problems. So I built my own with a Soekris board using Linux. Same problems. Switch to FreeBSD (m0n0wall). Same problems. The dam things crash almost every day. The biggest reason... Power Save Mode on a client computer.
One big problem (Score:4, Informative)
Some really high-end wifi equipment will scan the airwaves for unauthorized signals, plus scan the wired network for IP addresses that are act like access points and then notify you or even attempt to shut them down.
use 802.1x instead of PSK (Score:2, Informative)
As much as any other... (Score:3, Insightful)
Be warned: Turning off SSID broadcasting, enabling MAC filters, or even lowering your AP power levels can result in unexpected behavior.
For instance, my Dlink access point/router has a firmware update that features WPA, but it doesn't work with my Gigabyte w/l card. A few small packets can get through, but large packets are right out of the question. Sometimes there will be windows of a few seconds where I can get traffic through, but they go away in 5 seconds or less.
I switched back to WEP and everything was peachy. I then turned off SSID broadcasting. My w/l cards (all of them) would no longer recognize my active network because they couldn't "see" it. There isn't a way to hard-code or static-set the SSID name, channel, etc into my cards. You'll need to find one with hardware or software that supports connecting to networks that don't have a visible SSID. Basically, one that remembers what channel it was last on.
It's frustrating. Also, if you're paranoid about security, run your traffic through a VPN. It's a pain in the butt to set up, but it should work. Get ready for lots of support calls, too. Calls like "It was working, but I rebooted my machine and now it can't see the network", "the network is slow", "Why does it say the signal quality is low a lot of the time and I'm using the network just fine?"
You'll hear lots of that
AES and WPA security (Score:2)
What IS vulnerable in such a system is key management, and platform integrity. To help insure platform integrity, use open-source software via an in-house or trusted and certified build. Key management pol
Advice from the Inside Track (Score:5, Informative)
I would recommend that you implement (now) WPA with TKIP encryption. If you're a MS shop, and have an Active Directory infrastructure, adding MS IAS (internet authentication server) to that is very easy, and you're probably already licensed. Then you get to choose between authentication methods, and MS supports (and integrates into XP) EAP-MS-CHAP and EAP-TLS, basically login/passwd and digital certs, respectively. I would avoid Preshared Secret Keys (PSKs) due to their vulnerability to off-line dictionary attacks, unless you're willing to generate the PSKs in a cryptographically sound manner and push the length out quite a bit.
Likewise, I would counsel caution about using the AES encryption. If you purchase all of your gear from one vendor, you'll probably be OK, but there are a couple of gotcha's that you need to know about. First, the IEEE 802.11i standard which specifies CCMP (the AES crypto) is not yet final. It's extremely unlikely, but it _could_ change (we meet next week). Any vendor you choose today would likely provide updates in the event of a change, but who knows. More importantly, because the 11i is not final, the Wi-Fi Alliance has not yet integrated CCMP into their testing. So not only do you have absolutely no guarantee of interoperability, no one other than the vendor has tested the crypto implementation. Most crypto folks have a good feeling about AES, but no sane cryptographer trusts an implementation that hasn't been 3d party tested.
Unfortunately, if you need to support Linux, you're in for a hard time. I am not aware of a complete working set of client-side "stuff" to integrate into this lashup, although I did notice the beginnings of some support in the recent 2.6.5 kernel. Do NOT assume that you will be able to get linux working in this environment right now. It's comming..... but it's ain't there yet.
Now, on the subject of some of the other "advice" offered here....
There is a book out from Microsoft Press that gives a lot of background, and takes you step-by-step through getting all of this crap up and running in their environment. I have met the author, and know a number of the contributors from the committee. I highly recommend it, available here [amazon.com]. I sincerely hope all of this helps....
Re:Advice from the Inside Track (Score:2)
You can also bet these are not consumer-grade access points like the original poster seemed to be leaning towards, but higher end units. Cons
Re:Advice from the Inside Track (Score:2)
Re:Advice from the Inside Track (Score:2, Informative)
anything about CCMP. It's in sponsor ballot and
has something like 4 comments to deal with. CCMP
was not any of those comments. Repeat: there is
absolutely no way that TGi will change the draft
to affect CCMP. The cement is long dry on that.
There is also absolutely no reason why anyone
should worry about CCMP. The underlying AES
algorithm has received extensive cryptographic
review and the CCMP mode has also been reviewed.
It has proven security characteristics.
And C
Re:Advice from the Inside Track (Score:2)
I agree, it's unlikely, but possible. Sponsor ballot (and I'm a voter there, too) is NOT the final stage, so a change might come, but again, it is unlikely.
I'm much more concerned about interoperability issues. One thing that I have learned is that if something isn't 3d party tested, it will not interoperate. In the course of operating a commercial interoperability testing and certification program for IPSec products, we have to date,
Re:Advice from the Inside Track (Score:1)
testing and certification program for IPsec
products you work for but I have an idea. In
fact, I think I know who you are!
I used to work for a Very Large Router Company. I
wrote the IKE RFC and conveniently wrote the code
running on the routers for said company. When we
submitted for certification with a commercial
interoperability testing and certification group
for IPsec products, one of the testers called me
and told me my code was not compliant. Then he
proceeded to
The enemy within (Score:2)
Point here is that having obtained a little bit of privileged information somebody can sit parked in a nearby van and sniff data to thier hearts content.
True you can (and some people do) attach network "bugs" to cables to relay traffic, but the extensive use of switches makes this much more difficult.
Wireless gives easier access to more traffic, and it is often the most interesting as it tends to be
Your network isn't secure ... (Score:2)
On the other hand, if your neighbor has a less secure network then yours automatically becomes more secure.
Remember this joke:
Two lawyers walking through the woods spotted a vicious-looking bear. The first lawyer immediately opened his briefcase, pulled out a pair of sneakers and started putting them on. The second lawyer looked at him and said, "You're crazy! You'll never be able to outrun that bear!"
"I don't have to," the first lawyer
Remember the rogues (Score:1)
Filtering on MAC is useless: many WiFi drivers have MAC-spoofing capability in the Windows GUI!
The way to go is VPN, or 802.1x with a mutually-authenticating EAP protocol.
Remember you have to guard against a rogue AP that presents a fake version of your login interface to harvest credentials...