Security. WPA?/-TKIP /-CCMP
in [Wireless Internet]
|
From: msg on 5 Dec 2008 14:21 Jeff Liebermann wrote: <snip> I thought you had taken a sabbatical on security discussions <grin> > Wireless is NOT easy to deploy or understand. There are quite a few > pieces of the puzzle that must be correct or you have a security hole. > The one that drives me nuts at corporate installations is the one > you're working on. A shared key is easily compromised. People write > it down, pass it to friends, and generally are sloppy. If I want to > change the shared key, then I also have to change EVERYONE's shared > key. Of course, there's no efficient key distribution system. Windoze > has one where you place it on a USB dongle or floppy, but that also > gets copied and passed around. If you want to avoid becoming the > designated "key manager", do try to get a RADIUS server, where > everything is managed in one place. What with the problems in using shared keys and the hassle with distributing unique keys, even with RADIUS, don't you think my preference to using an open wireless network with VPN clients is an option, despite Mr. Navas' opinion of unknown risks. > > >>A tunnel between client and linux box would be fine. > > > A VPN tunnel may be secure but it's also a major performance hit. > VPN's generate quite a bit of overhead and excess traffic. I have > customers that use VPN's over public networks to insure security. > However, they're slowly moving to WPA2 encryption because of > performance and complexity problems. I use IPSec VPNs even with old and slow wireless handheld devices and notice no objectionable application interface performance hits (which is what counts to the user). > > >>If Radius is >>supported by most portables, I think this is the most realistic way to >>go. What would I need either way? > > > Save the VPN tunnels for remote access (i.e. over the internet and at > public locations). That will give you security over insecure > transport that you have no control over. For around the office WPA is > adequate for small systems with a small number of users, where you > have some control over all the machines. Of course, but he is running 'hot spots' (from his previous posts). When you get to larger > system, think about RADIUS servers for authentication, or a > proprietary "wireless switch" which conglomerates everything into one > box for central admin, but supports a large number of very simple > wireless access points. There are far more expensive that your $1000 > budget, but I would look at them anyway to see what can be done. Indeed, and for mission-critical work I wouldn't settle for less, but hot spots are another matter (my approach is specific to public access deployments that gateway private clients as well). Michael >
From: msg on 5 Dec 2008 14:28 Jeff Liebermann wrote: <snip> >>It would be nice to have a >>way to differentiate between guests so that we get rid of free loaders >>in the neighborhood, but without the use of an account system. > > > There are various "light weight" methods to limit casual access. None > of them are even close to secure but will slow down the casual > visitor. MAC and IP address filters, trivial encryption keys, and > SSID hiding are common suggestions. The problem is that these will > not stop the neighborhood freeloaders, which have sufficient time to > figure out what you're doing. > > >>It's >>not practically to have to give out keys for each guest. Sinse it's >>not possible to differentiate by anything else but MAC, this means >>free loaders are able to bypass my shaping profiles (which reduse a >>MAC's bandwidth with bandwidth used, over time) by changing MAC. This >>is still not a problem though, after three years of running our >>hotspots, thanks to a shaper that give equally amount of bandwidth to >>each MAC, egress and ingress. > > > Well, that's a rough description of the problem. One solution is > seperate access points for the users and the visitors, where the guess > access point can be unplugged after hours. It can also be setup so > that all traffic from the guest AP goes to the internet and never sees > the office LAN. This is best done by arranging for 2 routeable IP > addresses from your ISP. One is for the inside LAN, the other for the > guests. They share the same internet bandwidth, but never see each > others packets. > > This can also be done using access points (and wireless routers) that > support more than one SSID. <snip> Not that you need a cheering section, but indeed that is also my approach on the combined public access and internal site(s) that I run; it also permits a different level of application security for the 'LAN' segment and different access controls (It is not 'one network' as per Mr. Navas' pronouncements, but a collection of networks each with different expectations of security and the likelihood of anyone actually even being interested in exploits or penetration - after all, in my neck of the woods, there isn't much of value in I.P. to be sniffing, and there are much more obvious networks that _may_ actually have traffic worth sniffing for financial or other gain than non-profit and educational nets). Michael
From: msg on 5 Dec 2008 14:31 (posted twice since my provider missed the first attempt :) ) Jeff Liebermann wrote: <snip> I thought you had taken a sabbatical on security discussions <grin> > Wireless is NOT easy to deploy or understand. There are quite a few > pieces of the puzzle that must be correct or you have a security hole. > The one that drives me nuts at corporate installations is the one > you're working on. A shared key is easily compromised. People write > it down, pass it to friends, and generally are sloppy. If I want to > change the shared key, then I also have to change EVERYONE's shared > key. Of course, there's no efficient key distribution system. Windoze > has one where you place it on a USB dongle or floppy, but that also > gets copied and passed around. If you want to avoid becoming the > designated "key manager", do try to get a RADIUS server, where > everything is managed in one place. What with the problems in using shared keys and the hassle with distributing unique keys, even with RADIUS, don't you think my preference to using an open wireless network with VPN clients is an option, despite Mr. Navas' opinion of unknown risks. > > >> A tunnel between client and linux box would be fine. > > > > A VPN tunnel may be secure but it's also a major performance hit. > VPN's generate quite a bit of overhead and excess traffic. I have > customers that use VPN's over public networks to insure security. > However, they're slowly moving to WPA2 encryption because of > performance and complexity problems. I use IPSec VPNs even with old and slow wireless handheld devices and notice no objectionable application interface performance hits (which is what counts to the user). > > >> If Radius is >> supported by most portables, I think this is the most realistic way to >> go. What would I need either way? > > > > Save the VPN tunnels for remote access (i.e. over the internet and at > public locations). That will give you security over insecure > transport that you have no control over. For around the office WPA is > adequate for small systems with a small number of users, where you > have some control over all the machines. Of course, but he is running 'hot spots' (from his previous posts). When you get to larger > system, think about RADIUS servers for authentication, or a > proprietary "wireless switch" which conglomerates everything into one > box for central admin, but supports a large number of very simple > wireless access points. There are far more expensive that your $1000 > budget, but I would look at them anyway to see what can be done. Indeed, and for mission-critical work I wouldn't settle for less, but hot spots are another matter (my approach is specific to public access deployments that gateway private clients as well). Michael
From: Jeff Liebermann on 5 Dec 2008 14:33 On Fri, 5 Dec 2008 10:09:36 -0800 (PST), Chrisjoy <ultralibertarianer(a)gmail.com> wrote: >On 5 Des, 18:25, Jeff Liebermann <je...(a)cruzio.com> wrote: >Much good info, Jeff. Let me ask one question one more time. >I don't need authentification. I welcome everyone inside my field >strength to use my net. My primarly (/only) concern is that the guests >at my wireless lan are protected against each other. Protected from >sniffing. Will a Radius Server make sure every connection to the >access point will use a unique AES key? Yes. The RADIUS server delivers a one time unique WPA/WPA2 key for each user and for each session. From your description, it seems that you want to run a public hotspot on a corporate LAN. That's fine as long as you do something to keep the traffic seperate. I'll stand on my comments that this is a dumb thing to do and that you should reconsider your approach. At the very least, keep the two systems seperate. It might be helpful to read the FAQ: <http://wireless.navas.us/wiki/Wi-Fi_How_To#WPA.2FWPA2> Note that the ZyXEL G-2000 Plus has a built in RADIUS server with PEAP authentication. There are some free and for-pay RADIUS server on the internet which you can use for testing. I'm late for a meeting and need to run. Maybe later. This article has some references: <http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1167675,00.html> It also explains how the unique encryption key is created and delivered. Also, you might need authentication if you're running RADIUS. This might help: <http://articles.techrepublic.com.com/5100-10878_11-6148560.html> -- Jeff Liebermann jeffl(a)cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
From: Jeff Liebermann on 5 Dec 2008 14:38
On Fri, 05 Dec 2008 11:33:07 -0800, Jeff Liebermann <jeffl(a)cruzio.com> wrote: ><http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1167675,00.html> >It also explains how the unique encryption key is created and >delivered. Oops. No, it doesn't explain it. It switched topics in mid paragraph and uses a PSK (pre-shared key) as an example. Sorry. Still, the aricle (and series) is well worth reading. -- Jeff Liebermann jeffl(a)cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558 |