What's the current "best" way to secure a wireless network?

"Craig" hath wroth:

Correct. Once you have uncrackable encryption, all the other security features offer little additional security.

With a VPN, you could run a wide open (un-encrypted) network, and still have adequate security.

802.11 wireless is all bridging. 802.11 wireless packets encapsulate 802.3 ethernet packets. At the wireless level, it's all layer 2 and no IP addresses (except for managment). Therefore, any of the Layer 3 security features (SSH, SSL, VPN, etc) will work with a router that has VPN pass through enabled. There are even wireless routers available that will terminate a VPN in the router (Netgear, Sonicwall, etc).

Wrong. That's for cracking WEP, not WPA. WPA is considered secure with non-dictionary keys longer than 20 characters.

Are you sure you want the "best" way or do you want just whatever is adequate for your unstated purpose? The "best" is using WPA2-AES with X.509 certificates for authentication on a RADIUS server, with removable USB dongles, that also support S-Key one time key generation, through an IPSec VPN, and an IDS (intrusion detection sysetem) on the router. Not only will the "best" be uncrackable, it may also be unuseable and slow. Are you sure you really want this?

More reasonable is just nailing down the WPA2 encryption. The obvious problem is that the shared WPA key can be leaked or stolen. That will compromise the entire system. The answer is to use WPA2-RADIUS (also known as WPA2-Enterprise) which uses a RADIUS server to assign one time encryption keys for each user and each session. As long as WPA2 remains uncrackable in realtime, you're safe.

All the other security band-aids are in my never humble opinion worthless. (SSID hiding, MAC filters, IP filters, limited DHCP, obscure IP's, etc). See the FAQ at: |

Hey thanks for the reply Jeff.

Hmmm, unless I'm misinterpreting something...I think WPA2 can now be cracked via "coWPAtty". Check out:

where they say "For Defcon 14, we added WPA2 cracking capabilities."

Am I wrong???

Thank you for your feedback. :-)

Craig

Jeff Liebermann wrote:

I wish you wouldn't do that. I just wasted over an hour surfing all the new projects on the ChurchofWiFi web pile. Lots of nifty ideas. It's difficult to resist temptation.

coWPAtty is a brute force dictionary attack tool. It tries various keys from a list of common passwords on a capture file. Recently, it has been sped up substantially by the release of a list of pre-hashed dictionary words. The hash file is currently 7 GBytes big. Since the key exchange algorithm is the same for WPA1 and WPA2, adding WPA2 support to 4.0 was not a big deal. |

?PID=95 How it works: | The basic idea is to NOT use words that are in a dictionary. The more obscure and the longer the key, the better.

Den Fri, 29 Sep 2006 00:59:15 +0000. skrev Jeff Liebermann:

We aim to please at the CoWF ;) Jeff, feel free to join up at the CoWF if you got any projects or ideas of your own, that you'd like to get going, or if you feel that there are some projects you'd like to participate in.

J.D. "Dutch" Schmidt Forum moderator, NetStumbler.org. CoWF founding member.

On Fri, 29 Sep 2006 00:59:15 GMT, Jeff Liebermann wrote: : On 28 Sep 2006 15:58:22 -0700, "Craig" : wrote: : : >Hmmm, unless I'm misinterpreting something...I think WPA2 can now be : >cracked via "coWPAtty". Check out:

where they : >say "For Defcon 14, we added WPA2 cracking capabilities." : >

: >Am I wrong??? : : I wish you wouldn't do that. I just wasted over an hour surfing all : the new projects on the ChurchofWiFi web pile. Lots of nifty ideas. : It's difficult to resist temptation. : : coWPAtty is a brute force dictionary attack tool. It tries various : keys from a list of common passwords on a capture file. Recently, it : has been sped up substantially by the release of a list of pre-hashed : dictionary words. The hash file is currently 7 GBytes big. Since the : key exchange algorithm is the same for WPA1 and WPA2, adding WPA2 : support to 4.0 was not a big deal. : |

?PID=95: : How it works: : | : The basic idea is to NOT use words that are in a dictionary. The more : obscure and the longer the key, the better.

I agree, up to a point. If your key consists of a single word or phrase that could appear in a dictionary or word inventory, in any common language, you're probably deluding yourself. But if you have a reasonably long phrase that you can remember and that is easy to type without errors, you probably don't have to deviate from it much in order to be safe. Good encryption algorithms (and presumably WPA2/AES is one such) randomize the entire key as a single entity, rather than treating its constituent parts, if any, separately. So if you modify your phrase with a couple of unlikely misspellings, the encrypted forms of the original and modified phrases should be entirely different, and the modified phrase should be highly resistant to a brute-force attack.

You'll often see assertions that the key itself should be 20 or 30 characters long and as random as you can make it. But such a key cannot possibly be remembered and will therefore be written down, making it much more subject to compromise. I read an article recently pointing out that using a memorable (vs highly random) WPA passphrase increases your susceptibility to a brute-force attack by six orders of magnitude! What the article also admitted, but only obliquely, was that the actual decrease in the time necessary to crack the encryption was from 100,000,000,000,000,000,000,000 times the age of the known universe to "only" 100,000,000,000,000,000 times. Yes, that is six orders of magnitude, but who cares?

Yes, a trivial WPA passphrase can be cracked. But until someone proves that he can crack a passphrase that I've chosen, I'm not going to lose any sleep over it.

Bob

Instead of looking at this as just a cracking tool could it be used to test the vulnerability of the WPA2 passwork we have selected?

e-teori hath wroth:

Thanks, but I already have far too many projects that I should be working on. I'm also a lousy programmer and don't collaborate very well. However, if you have any RF/wireless/radio related questions, feel free to bug me.