Security. WPA?/-TKIP /-CCMP
in [Wireless Internet]
|
From: Chrisjoy on 5 Dec 2008 11:53 On 5 Des, 05:14, Jeff Liebermann <je...(a)cruzio.com> wrote: > On Thu, 4 Dec 2008 16:09:10 -0800 (PST), Chrisjoy > > <ultralibertaria...(a)gmail.com> wrote: > >On Dec 4, 11:46 pm, Mark McIntyre <markmcint...(a)TROUSERSspamcop.net> > >wrote: > > >> If you mean "protection against people who know your key" then neither > >> is remotely useful... > > >What would be useful? > > WPA-RADIUS > > >VLAN? > > No. That just isolates broadcast domains by MAC addresses. MAC > addresses are trivial to change or spoof, and therefore offer no > security. I thought vlan, using IPSEC, offered an end to end solution to protect against both sniffing and middle man attacks. I don't care who gets into my network. Only that they who do, are not able to sniff on each other. Well, this is not perfectly true. It would be nice to have a way to differentiate between guests so that we get rid of free loaders in the neighborhood, but without the use of an account system. It's not practically to have to give out keys for each guest. Sinse it's not possible to differentiate by anything else but MAC, this means free loaders are able to bypass my shaping profiles (which reduse a MAC's bandwidth with bandwidth used, over time) by changing MAC. This is still not a problem though, after three years of running our hotspots, thanks to a shaper that give equally amount of bandwidth to each MAC, egress and ingress. > Incidentally, the IP addresses and data are encrypted by > WPA and WPA2. However the MAC addresses are easily sniffable, even > without the encryption key. > > >Any more practical solution? > > Yes. Proprietary schemes. Your application is to vague to offer a > specific recommendation. Does it mean a guest have to install software or hardware, and Radius do not, Radius is preferable, regardless of price, as long as it's one time payment. > >Why isn't this issue discussed more? > > It's been discussed to death. Search Google groups or the web for > "wireless security". Can you give me a link to a link where I can find a discussion about security where the main concern is to protect each WLAN client from each other, and how this should be done without any extra needs than a inbuilt 802.11g card on a portable? > >Is WLAN basically meant for > >lifeless people who don't mind others to look into their "private" > >stuff? > > Right. Wireless is for those that can't afford overpriced copper > wires. I fail to see an economic motivation for wireless other than P2(m)P links between buildings where T1/3 is the only realistic alternative. My motive for wireless is ONLY flecibility and practicallity. There impossible to put up a TP stick at any place where one would want to use a computer. Where this is possible, I would always chose cable. > >Is 802.11 still a immature technology? > > Nope. The surest sign of success and maturity is pollution. You're > doing your part to insure success. I guess our definitions are not compatible. If it's important both to connect and to do it secure, I fail to see success is accomplished. > What is it you're trying to accomplish and what do you have to work > with? Ansered in my last message.
From: Jeff Liebermann on 5 Dec 2008 12:25 On Fri, 5 Dec 2008 08:12:48 -0800 (PST), Chrisjoy <ultralibertarianer(a)gmail.com> wrote: >Well, for all know, the share key priciple with WPA could be only a >way to stop intruders to get into the network while there is another >layer that offer protection against others with the same key. I don't >know the details. That's why I'm asking. Do you know a good link with >good info? On what topic? WPA operation? The underlying encryption and authentication? The relationships to 802.11 and 802.1x? I'm not sure what to suggest. Start at: <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access> There are plenty of URL's and links that should help you dig deeper. If you need something specific, ask and I'll try to dig it out. >Does this mean all pay load go though this Radius server, or is it >only for key distribution and authentication? RADIUS is only for authentication. Nothing goes "through" the RADIUS server. With the addition of a login and password, it can also be used for authorization: <http://en.wikipedia.org/wiki/RADIUS> Windoze 2003 server includes an Internet Authentication Service (IAS) service that uses RADIUS for wireless authentication. There are also a few wireless router with small RADIUS servers inside. However, the bulk of the RADIUS servers are built on FreeRADIUS and MySQL database. Perhaps a "how to" for setting up a wireless hotspot with a RADIUS server for authentication might help: <http://www.howtoforge.com/wireless_hotspot_howto> >Will the average >portable computer equipped with 802.11b/g also have support for >Radius? Yes. They all do. If they're Wi-Fi Alliance certified, they can do both shared keys and RADIUS delivered keys. >If so, I think this would be the best solution because I don't >need clients to instal software. Correct. >Bring about a network at work where everyone is welcome to connect >wirelessly, but protected against sniffing pay load. WPA or WPA2 encryption is very effective at preventing sniffing. >A linux solution >is welcome because load balancing and bandwidth control is already >done on such a box. I don't think I want to use more than $1000, and >the cost must be one time only. I can't tell if $1,000 or $1 will be adequate as you've supplied no details or requirments. >The solution must be easy to deploy, at least for windows clients. Wireless is NOT easy to deploy or understand. There are quite a few pieces of the puzzle that must be correct or you have a security hole. The one that drives me nuts at corporate installations is the one you're working on. A shared key is easily compromised. People write it down, pass it to friends, and generally are sloppy. If I want to change the shared key, then I also have to change EVERYONE's shared key. Of course, there's no efficient key distribution system. Windoze has one where you place it on a USB dongle or floppy, but that also gets copied and passed around. If you want to avoid becoming the designated "key manager", do try to get a RADIUS server, where everything is managed in one place. >A tunnel between client and linux box would be fine. A VPN tunnel may be secure but it's also a major performance hit. VPN's generate quite a bit of overhead and excess traffic. I have customers that use VPN's over public networks to insure security. However, they're slowly moving to WPA2 encryption because of performance and complexity problems. >If Radius is >supported by most portables, I think this is the most realistic way to >go. What would I need either way? Save the VPN tunnels for remote access (i.e. over the internet and at public locations). That will give you security over insecure transport that you have no control over. For around the office WPA is adequate for small systems with a small number of users, where you have some control over all the machines. When you get to larger system, think about RADIUS servers for authentication, or a proprietary "wireless switch" which conglomerates everything into one box for central admin, but supports a large number of very simple wireless access points. There are far more expensive that your $1000 budget, but I would look at them anyway to see what can be done. -- Jeff Liebermann jeffl(a)cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
From: Jeff Liebermann on 5 Dec 2008 12:53 On Fri, 5 Dec 2008 08:53:46 -0800 (PST), Chrisjoy <ultralibertarianer(a)gmail.com> wrote: >On 5 Des, 05:14, Jeff Liebermann <je...(a)cruzio.com> wrote: >> On Thu, 4 Dec 2008 16:09:10 -0800 (PST), Chrisjoy >> >> <ultralibertaria...(a)gmail.com> wrote: >> >On Dec 4, 11:46�pm, Mark McIntyre <markmcint...(a)TROUSERSspamcop.net> >> >wrote: >> >> >> If you mean "protection against people who know your key" then neither >> >> is remotely useful... >> >> >What would be useful? >> >> WPA-RADIUS >> >> >VLAN? >> >> No. �That just isolates broadcast domains by MAC addresses. �MAC >> addresses are trivial to change or spoof, and therefore offer no >> security. > >I thought vlan, using IPSEC, offered an end to end solution to protect >against both sniffing and middle man attacks. I know nothing of combining a VLAN with IPSEC. IPSEC is one of the encryption and authentication methods use for a VPN and has zero to do with a VLAN, which only limits or splits a broadcast domain. >I don't care who gets >into my network. Only that they who do, are not able to sniff on each >other. Please re-write the above so that it makes sense. >Well, this is not perfectly true. It also doesn't make sense. >It would be nice to have a >way to differentiate between guests so that we get rid of free loaders >in the neighborhood, but without the use of an account system. There are various "light weight" methods to limit casual access. None of them are even close to secure but will slow down the casual visitor. MAC and IP address filters, trivial encryption keys, and SSID hiding are common suggestions. The problem is that these will not stop the neighborhood freeloaders, which have sufficient time to figure out what you're doing. >It's >not practically to have to give out keys for each guest. Sinse it's >not possible to differentiate by anything else but MAC, this means >free loaders are able to bypass my shaping profiles (which reduse a >MAC's bandwidth with bandwidth used, over time) by changing MAC. This >is still not a problem though, after three years of running our >hotspots, thanks to a shaper that give equally amount of bandwidth to >each MAC, egress and ingress. Well, that's a rough description of the problem. One solution is seperate access points for the users and the visitors, where the guess access point can be unplugged after hours. It can also be setup so that all traffic from the guest AP goes to the internet and never sees the office LAN. This is best done by arranging for 2 routeable IP addresses from your ISP. One is for the inside LAN, the other for the guests. They share the same internet bandwidth, but never see each others packets. This can also be done using access points (and wireless routers) that support more than one SSID. I use Linux based DD-WRT for the purpose. The problem is that I haven't figured out how to completely isolate the guest SSID. There's still some interaction. However, it's not a problem because DD-WRT supports "AP Isolation" which is really "client isolation", which prevents wireless clients from seeing each other. >Does it mean a guest have to install software or hardware, and Radius >do not, Radius is preferable, regardless of price, as long as it's one >time payment. No. All Wi-Fi Alliance certified devices support both PSK (pre-shared key) and RADIUS (enterprise). >Can you give me a link to a link where I can find a discussion about >security where the main concern is to protect each WLAN client from >each other, and how this should be done without any extra needs than a >inbuilt 802.11g card on a portable? Not offhand. I don't have a clue as to the size of your network, the speeds, the resources available, or what you're trying to protect. You also have a rather odd concept of security. If you are really trying to serve the GUM (great unwashed masses) just setup a seperate open wireless portal for their entertainment and use. Keep the GUM off your corporate WLAN if you want to be secure. >I fail to see an economic motivation for wireless other than P2(m)P >links between buildings where T1/3 is the only realistic alternative. I'll see if I can find some numbers for wiring an office. Offhand (i.e. bad guess), I was charging about $250 per wall jack for in the wall wiring. That doesn't include the managed switch were everything came together. That can add up fast, especially if you install extra jacks. >My motive for wireless is ONLY flecibility and practicallity. There >impossible to put up a TP stick at any place where one would want to >use a computer. Where this is possible, I would always chose cable. What's a "TP stick"? >> >Is 802.11 still a immature technology? >> >> Nope. �The surest sign of success and maturity is pollution. �You're >> doing your part to insure success. > >I guess our definitions are not compatible. If it's important both to >connect and to do it secure, I fail to see success is accomplished. Running an open access point is not exactly my idea of security, especially since you apparently don't care who uses it. I guess you have to learn the implications the hard way. >> What is it you're trying to accomplish and what do you have to work >> with? > >Ansered in my last message. I didn't see any numbers except for the $1000 budget. Number of users, area you're trying to cover, max range, going through any walls?, type of equipment, servers available, type of traffic, number of access points that might be involved, number of wireless users, etc. -- Jeff Liebermann jeffl(a)cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
From: Chrisjoy on 5 Dec 2008 13:09 On 5 Des, 18:25, Jeff Liebermann <je...(a)cruzio.com> wrote: > Much good info, Jeff. Let me ask one question one more time. I don't need authentification. I welcome everyone inside my field strength to use my net. My primarly (/only) concern is that the guests at my wireless lan are protected against each other. Protected from sniffing. Will a Radius Server make sure every connection to the access point will use a unique AES key?
From: Chrisjoy on 5 Dec 2008 13:35
On 5 Des, 18:53, Jeff Liebermann <je...(a)cruzio.com> wrote: > > Running an open access point is not exactly my idea of security, > especially since you apparently don't care who uses it. I guess you > have to learn the implications the hard way. The only implication I need to be concern about is the bandwidth used. I want to give away bandwidth for free, for visitors and those few freeloaders in the neighbourhood. This means my security concern is NOT to find an encryption/protocol to keep ppl out, but find an encryption/protocol to keep people from sniffing each other's pay load packets. You said WPA(1/2) alone does not offer a unique key for every connection, but with RADIUS, I will get this. (I already got a net of dedicated access points outside my firewall only meant for visitors. I already got a time limit for the use of this WLAN network. Are you able to misread me other time, Jeff? :-) |