Security. WPA?/-TKIP /-CCMP

WLAN.

What encryption protocol (implicitly supported by hardware) offer protection against others knowing the shared key? Does WPA-TKIP? What about WPA2-CCMP?

Reply to
Chrisjoy
Loading thread data ...

On Thu, 4 Dec 2008 14:26:46 -0800 (PST), Chrisjoy wrote in :

The encryption protocol has no bearing on that.

Assuming a sufficiently strong key not to be cracked, a shared key is only insecure from the sharing -- the more folks that know it, the more insecure it is.

To avoid that risk, use WPA Enterprise, where each user has unique authentication.

Reply to
John Navas

I'm not sure the question is clear. If you mean "offers protection against your key being guessed or cracked", then both are very secure but WPA2 is more so. The risk is in using short or dictionary-based keys.

If you mean "protection against people who know your key" then neither is remotely useful...

Reply to
Mark McIntyre

What would be useful? VLAN? Any more practical solution? Why isn't this issue discussed more? Is WLAN basically meant for lifeless people who don't mind others to look into their "private" stuff? Is 802.11 still a immature technology?

Reply to
Chrisjoy

None of the above. A shared key is ummm.... shared. I can extract the shared key from some computers, or a usable hash value from the Windoze registry.

Once the shared key is compromised from one computah, the entire network is open to use, attack, or sniffing.

If you want encryption security, you should be looking at WPA-RADIUS or WPA2-RADIUS. These are also sometimes known as WPA-Enterprise. A RADIUS server delivers a unique, one time WPA encryption key to each wireless client that gets used only once. Each client gets a different unique one-time key.

Incidentally, nothing is every "implicitly" supported in hardware. It's either supported or it's not, which is "explicitly" supported. It's kinda difficult to "imply" something in hardware.

Now, what is it you're trying to accomplish, and what do you have to work with?

Reply to
Jeff Liebermann

WPA-RADIUS

No. That just isolates broadcast domains by MAC addresses. MAC addresses are trivial to change or spoof, and therefore offer no security. Incidentally, the IP addresses and data are encrypted by WPA and WPA2. However the MAC addresses are easily sniffable, even without the encryption key.

Yes. Proprietary schemes. Your application is to vague to offer a specific recommendation.

It's been discussed to death. Search Google groups or the web for "wireless security".

Right. Wireless is for those that can't afford overpriced copper wires.

Nope. The surest sign of success and maturity is pollution. You're doing your part to insure success.

What is it you're trying to accomplish and what do you have to work with?

Reply to
Jeff Liebermann

Well, for all know, the share key priciple with WPA could be only a way to stop intruders to get into the network while there is another layer that offer protection against others with the same key. I don't know the details. That's why I'm asking. Do you know a good link with good info?

Does this mean all pay load go though this Radius server, or is it only for key distribution and authentication? Will the average portable computer equipped with 802.11b/g also have support for Radius? If so, I think this would be the best solution because I don't need clients to instal software.

Bring about a network at work where everyone is welcome to connect wirelessly, but protected against sniffing pay load. A linux solution is welcome because load balancing and bandwidth control is already done on such a box. I don't think I want to use more than $1000, and the cost must be one time only. The solution must be easy to deploy, at least for windows clients. A tunnel between client and linux box would be fine. If Radius is supported by most portables, I think this is the most realistic way to go. What would I need either way?

Reply to
Chrisjoy

I thought vlan, using IPSEC, offered an end to end solution to protect against both sniffing and middle man attacks. I don't care who gets into my network. Only that they who do, are not able to sniff on each other. Well, this is not perfectly true. It would be nice to have a way to differentiate between guests so that we get rid of free loaders in the neighborhood, but without the use of an account system. It's not practically to have to give out keys for each guest. Sinse it's not possible to differentiate by anything else but MAC, this means free loaders are able to bypass my shaping profiles (which reduse a MAC's bandwidth with bandwidth used, over time) by changing MAC. This is still not a problem though, after three years of running our hotspots, thanks to a shaper that give equally amount of bandwidth to each MAC, egress and ingress.

Does it mean a guest have to install software or hardware, and Radius do not, Radius is preferable, regardless of price, as long as it's one time payment.

Can you give me a link to a link where I can find a discussion about security where the main concern is to protect each WLAN client from each other, and how this should be done without any extra needs than a inbuilt 802.11g card on a portable?

I fail to see an economic motivation for wireless other than P2(m)P links between buildings where T1/3 is the only realistic alternative. My motive for wireless is ONLY flecibility and practicallity. There impossible to put up a TP stick at any place where one would want to use a computer. Where this is possible, I would always chose cable.

I guess our definitions are not compatible. If it's important both to connect and to do it secure, I fail to see success is accomplished.

Ansered in my last message.

Reply to
Chrisjoy

On what topic? WPA operation? The underlying encryption and authentication? The relationships to 802.11 and 802.1x? I'm not sure what to suggest. Start at:

There are plenty of URL's and links that should help you dig deeper. If you need something specific, ask and I'll try to dig it out.

RADIUS is only for authentication. Nothing goes "through" the RADIUS server. With the addition of a login and password, it can also be used for authorization:

Windoze 2003 server includes an Internet Authentication Service (IAS) service that uses RADIUS for wireless authentication. There are also a few wireless router with small RADIUS servers inside. However, the bulk of the RADIUS servers are built on FreeRADIUS and MySQL database. Perhaps a "how to" for setting up a wireless hotspot with a RADIUS server for authentication might help:

Yes. They all do. If they're Wi-Fi Alliance certified, they can do both shared keys and RADIUS delivered keys.

Correct.

WPA or WPA2 encryption is very effective at preventing sniffing.

I can't tell if $1,000 or $1 will be adequate as you've supplied no details or requirments.

Wireless is NOT easy to deploy or understand. There are quite a few pieces of the puzzle that must be correct or you have a security hole. The one that drives me nuts at corporate installations is the one you're working on. A shared key is easily compromised. People write it down, pass it to friends, and generally are sloppy. If I want to change the shared key, then I also have to change EVERYONE's shared key. Of course, there's no efficient key distribution system. Windoze has one where you place it on a USB dongle or floppy, but that also gets copied and passed around. If you want to avoid becoming the designated "key manager", do try to get a RADIUS server, where everything is managed in one place.

A VPN tunnel may be secure but it's also a major performance hit. VPN's generate quite a bit of overhead and excess traffic. I have customers that use VPN's over public networks to insure security. However, they're slowly moving to WPA2 encryption because of performance and complexity problems.

Save the VPN tunnels for remote access (i.e. over the internet and at public locations). That will give you security over insecure transport that you have no control over. For around the office WPA is adequate for small systems with a small number of users, where you have some control over all the machines. When you get to larger system, think about RADIUS servers for authentication, or a proprietary "wireless switch" which conglomerates everything into one box for central admin, but supports a large number of very simple wireless access points. There are far more expensive that your $1000 budget, but I would look at them anyway to see what can be done.

Reply to
Jeff Liebermann

I know nothing of combining a VLAN with IPSEC. IPSEC is one of the encryption and authentication methods use for a VPN and has zero to do with a VLAN, which only limits or splits a broadcast domain.

Please re-write the above so that it makes sense.

It also doesn't make sense.

There are various "light weight" methods to limit casual access. None of them are even close to secure but will slow down the casual visitor. MAC and IP address filters, trivial encryption keys, and SSID hiding are common suggestions. The problem is that these will not stop the neighborhood freeloaders, which have sufficient time to figure out what you're doing.

Well, that's a rough description of the problem. One solution is seperate access points for the users and the visitors, where the guess access point can be unplugged after hours. It can also be setup so that all traffic from the guest AP goes to the internet and never sees the office LAN. This is best done by arranging for 2 routeable IP addresses from your ISP. One is for the inside LAN, the other for the guests. They share the same internet bandwidth, but never see each others packets.

This can also be done using access points (and wireless routers) that support more than one SSID. I use Linux based DD-WRT for the purpose. The problem is that I haven't figured out how to completely isolate the guest SSID. There's still some interaction. However, it's not a problem because DD-WRT supports "AP Isolation" which is really "client isolation", which prevents wireless clients from seeing each other.

No. All Wi-Fi Alliance certified devices support both PSK (pre-shared key) and RADIUS (enterprise).

Not offhand. I don't have a clue as to the size of your network, the speeds, the resources available, or what you're trying to protect. You also have a rather odd concept of security. If you are really trying to serve the GUM (great unwashed masses) just setup a seperate open wireless portal for their entertainment and use. Keep the GUM off your corporate WLAN if you want to be secure.

I'll see if I can find some numbers for wiring an office. Offhand (i.e. bad guess), I was charging about $250 per wall jack for in the wall wiring. That doesn't include the managed switch were everything came together. That can add up fast, especially if you install extra jacks.

What's a "TP stick"?

Running an open access point is not exactly my idea of security, especially since you apparently don't care who uses it. I guess you have to learn the implications the hard way.

I didn't see any numbers except for the $1000 budget.

Number of users, area you're trying to cover, max range, going through any walls?, type of equipment, servers available, type of traffic, number of access points that might be involved, number of wireless users, etc.

Reply to
Jeff Liebermann

Much good info, Jeff. Let me ask one question one more time.

I don't need authentification. I welcome everyone inside my field strength to use my net. My primarly (/only) concern is that the guests at my wireless lan are protected against each other. Protected from sniffing. Will a Radius Server make sure every connection to the access point will use a unique AES key?

Reply to
Chrisjoy

The only implication I need to be concern about is the bandwidth used. I want to give away bandwidth for free, for visitors and those few freeloaders in the neighbourhood. This means my security concern is NOT to find an encryption/protocol to keep ppl out, but find an encryption/protocol to keep people from sniffing each other's pay load packets. You said WPA(1/2) alone does not offer a unique key for every connection, but with RADIUS, I will get this.

(I already got a net of dedicated access points outside my firewall only meant for visitors. I already got a time limit for the use of this WLAN network. Are you able to misread me other time, Jeff? :-)

Reply to
Chrisjoy

I thought you had taken a sabbatical on security discussions

What with the problems in using shared keys and the hassle with distributing unique keys, even with RADIUS, don't you think my preference to using an open wireless network with VPN clients is an option, despite Mr. Navas' opinion of unknown risks.

I use IPSec VPNs even with old and slow wireless handheld devices and notice no objectionable application interface performance hits (which is what counts to the user).

Of course, but he is running 'hot spots' (from his previous posts).

When you get to larger

Indeed, and for mission-critical work I wouldn't settle for less, but hot spots are another matter (my approach is specific to public access deployments that gateway private clients as well).

Michael

>
Reply to
msg

Not that you need a cheering section, but indeed that is also my approach on the combined public access and internal site(s) that I run; it also permits a different level of application security for the 'LAN' segment and different access controls (It is not 'one network' as per Mr. Navas' pronouncements, but a collection of networks each with different expectations of security and the likelihood of anyone actually even being interested in exploits or penetration - after all, in my neck of the woods, there isn't much of value in I.P. to be sniffing, and there are much more obvious networks that _may_ actually have traffic worth sniffing for financial or other gain than non-profit and educational nets).

Michael

Reply to
msg

I thought you had taken a sabbatical on security discussions

What with the problems in using shared keys and the hassle with distributing unique keys, even with RADIUS, don't you think my preference to using an open wireless network with VPN clients is an option, despite Mr. Navas' opinion of unknown risks.

I use IPSec VPNs even with old and slow wireless handheld devices and notice no objectionable application interface performance hits (which is what counts to the user).

Of course, but he is running 'hot spots' (from his previous posts).

When you get to larger

Indeed, and for mission-critical work I wouldn't settle for less, but hot spots are another matter (my approach is specific to public access deployments that gateway private clients as well).

Michael

Reply to
msg

Yes. The RADIUS server delivers a one time unique WPA/WPA2 key for each user and for each session.

From your description, it seems that you want to run a public hotspot on a corporate LAN. That's fine as long as you do something to keep the traffic seperate. I'll stand on my comments that this is a dumb thing to do and that you should reconsider your approach. At the very least, keep the two systems seperate.

It might be helpful to read the FAQ:

Note that the ZyXEL G-2000 Plus has a built in RADIUS server with PEAP authentication.

There are some free and for-pay RADIUS server on the internet which you can use for testing. I'm late for a meeting and need to run. Maybe later. This article has some references:

It also explains how the unique encryption key is created and delivered.

Also, you might need authentication if you're running RADIUS. This might help:

Reply to
Jeff Liebermann

Oops. No, it doesn't explain it. It switched topics in mid paragraph and uses a PSK (pre-shared key) as an example. Sorry. Still, the aricle (and series) is well worth reading.

Reply to
Jeff Liebermann

I cannot help myself from thinking 802.11, and even Wi-FI, is a pretty immature technology while not making it mandatory to support unique key for each connection. Specially consider the fact that access points already support RADIUS server, which means they already got CPU power and enogh RAM to encrypt and decrypt connections using different keys, and where they fail is at as ridiculous place as the simple task to make a DB handling keys and communicate them over a asymetric encryption methode. Only crazy ppl would do anything remotely sensetive on such a connection, which makes straght 802.11 a toy for kids. Not that I would dare to as much as remotely control a Markin train using 802.11. I have to say, digging into 802.11 has been a great disappointment. They who develope this line of products, are they all kids finding communication without wire so fascinating they forget to be serious, at all!?

Anyways, thanks for all your information and leads. I can now hurry away to my conclucion. I will not use another dime supporting our hotspot network, before there is an easy way to protect against snffing. I do not consider setting up a RADIUS connection on the client side to be easy. I will wait until the only information that needs to be put into a client is a pass phrase after chosing an SSID (with a signature fingerprint so that nobody can fake a trusty network), and that's it. When this is done, everyone should be protected from WLAN sniffing. If the 802.11 guys are not able to do this, they are not worth my time. Ten years of developement, and not even solving this straight forward problem/solution, I would be ashamed!

Reply to
Chrisjoy

He's thinkiing of a VPN I suspect.

To the OP: a vlan is just a virtual broadcast network created inside your infrastructure. Normally to be part of a broadcast network, devices need to be physically on the same subnet, which in practice means they need to be on the same set of switches. The vlan allows machines physically on different switches to be considered on teh same subnet. eg you might have a machine in Delhi and another in Tokyo on entirely different physical networks, joined into a vlan. But its not a security measure.

Reply to
Mark McIntyre

This may sound rude, but you're way over your head. Seems to me you're planning a fairly large scale public wifi hotspot without really understanding the basic principles of networking, the difference between authentication and encryption etc.

I'd suggest stepping right back and learning about how network security works.

Reply to
Mark McIntyre

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.