Security. WPA?/-TKIP /-CCMP
in [Wireless Internet]
|
From: John Navas on 5 Dec 2008 19:46 On Fri, 05 Dec 2008 23:27:15 +0000, Mark McIntyre <markmcintyre(a)TROUSERSspamcop.net> wrote in <nNi_k.100531$i92.11886(a)en-nntp-03.am2.easynews.com>: >Chrisjoy wrote: >> On 5 Des, 05:09, Jeff Liebermann <je...(a)cruzio.com> wrote: >>> On Thu, 4 Dec 2008 14:26:46 -0800 (PST), Chrisjoy >>> >>> If you want encryption security, you should be looking at WPA-RADIUS >> >> Does this mean all pay load go though this Radius server, or is it >> only for key distribution and authentication? > >This may sound rude, but you're way over your head. Seems to me you're >planning a fairly large scale public wifi hotspot without really >understanding the basic principles of networking, the difference between >authentication and encryption etc. > >I'd suggest stepping right back and learning about how network security >works. Wow -- we actually agree on something! Medic! Medic! :) -- Best regards, FAQ for Wireless Internet: <http://wireless.navas.us> John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
From: John Navas on 5 Dec 2008 19:47 On Fri, 05 Dec 2008 13:21:52 -0600, msg <msg@_cybertheque.org_> wrote in <p_Gdne8zMoKr4qTUnZ2dnUVZ_szinZ2d(a)posted.cpinternet>: >What with the problems in using shared keys and the hassle with distributing >unique keys, even with RADIUS, don't you think my preference to using an >open wireless network with VPN clients is an option, despite Mr. Navas' >opinion of unknown risks. I've said nothing of the kind. What I've actually posted are detailed recommendations on how to run an open hotspot without real known risks. Also covered in the wiki below. -- Best regards, FAQ for Wireless Internet: <http://wireless.navas.us> John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
From: Jeff Liebermann on 5 Dec 2008 19:47 On Fri, 5 Dec 2008 10:35:36 -0800 (PST), Chrisjoy <ultralibertarianer(a)gmail.com> wrote: >On 5 Des, 18:53, Jeff Liebermann <je...(a)cruzio.com> wrote: >> >> Running an open access point is not exactly my idea of security, >> especially since you apparently don't care who uses it. �I guess you >> have to learn the implications the hard way. � > >The only implication I need to be concern about is the bandwidth used. Nope. There are plenty more risks. I'll admit that they're minimal as the courts don't seem to be very interested in untangling complex technical issues. Off the top of my head: 1. User downloads illegal content. Copyright holder sues the IP address found in his logs, which is your router. 2. User engages in file sharing. RIAA and friends sue under DMCA. 3. User engages in file sharing and eats ALL your bandwidth. File sharing software can be configured to minimize the bandwidth impact, but when it's someone elses bandwidth, NBC (nobody cares). 4. User engages in spamming and gets your IP address blacklisted. This has happened to me, so I know the implications. 5. USP gets irate that you're actually using the bandwidth they advertises and pulls the plug for "excess use". Comcast limits bandwidth to 100Mbytes/month, but others are less lenient. 6. User does something to hog ALL the available OUTGOING bandwidth. Other users on system have plenty of download bandwidth available, but because the ACK's don't make it back to the connected system, they get disconnects and timeouts. That should be enough of a start. >I want to give away bandwidth for free, for visitors and those few >freeloaders in the neighbourhood. Fine. It's your bandwidth to do (mostly) as you please. However, please don't include what I guess to be your employer into your agenda. As I recall, you're doing this with your employers bandwidth: "Bring about a network at work where everyone is welcome to connect wirelessly, but protected against sniffing pay load." Which is it? Your bandwidth or your employers? If it's your employers, you might want to contact the company attorney to see if they think your philanthropic enterprise is worth the legal exposure. >This means my security concern is >NOT to find an encryption/protocol to keep ppl out, but find an >encryption/protocol to keep people from sniffing each other's pay load >packets. You said WPA(1/2) alone does not offer a unique key for >every connection, but with RADIUS, I will get this. WPA or WPA2 RADIUS (a.k.a. Enterprise) will do just fine. Also, make sure your wireless router or access point supports "AP Isolation". You'll probably also need a "splash page" to warn people what's happening, and to accept a login for company users. >(I already got a net of dedicated access points outside my firewall >only meant for visitors. I already got a time limit for the use of >this WLAN network. OK. Then install a wireless network for the inside users. Nothing wrong with two access points and two wireless networks. >Are you able to misread me other time, Jeff? :-) Huh? -- # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060 # 831-336-2558 jeffl(a)comix.santa-cruz.ca.us # http://802.11junk.com jeffl(a)cruzio.com # http://www.LearnByDestroying.com AE6KS
From: Jeff Liebermann on 5 Dec 2008 21:00 On Fri, 5 Dec 2008 13:35:24 -0800 (PST), Chrisjoy <ultralibertarianer(a)gmail.com> wrote: >I cannot help myself from thinking 802.11, and even Wi-FI, is a pretty >immature technology while not making it mandatory to support unique >key for each connection. I could fabricate a rather large list of things that I wouldn't mind seeing mandatory. "Secure By Default" is my favorite mantra. As Mark said, tight security was not on the agenda in 1997. The assumption was that wireless was only going to be used indoors, over very limited ranges, only for limited applications. Actually, the IEEE has been working on throwing everything except the kitchen sink either into 802.11 or grafted on as an extension. See shopping list at: <http://en.wikipedia.org/wiki/802.11> >Specially consider the fact that access >points already support RADIUS server, Nope. Only a very small number of access points have built in RADIUS servers. What they do is *SUPPORT* RADIUS services by pointing RADIUS authorization and authentication requests to a real RADIUS server. It kinda makes sense because the typical RADIUS server is far to big to fit inside the commodity router. It's also common to share the RADIUS server function among a large number of access points. >which means they already got CPU >power and enogh RAM to encrypt and decrypt connections using different >keys, If you read anything about the various open source Linux mutations that run on commodity routers, you'll find the lack of RAM is the major limitation to installing features. Also, CPU horsepower is a serious problem with processor intensive applications such as VPN. When running such services, the number of users and thruput are usually severely limited. >and where they fail is at as ridiculous place as the simple >task to make a DB handling keys and communicate them over a asymetric >encryption methode. Actually, they usually fail when the MAC address table, ARP table, or other RAM intensive table fills and crashes the access point. Incidentally, it's quite possible to use a flat file database instead of a full blown relational monster DBM for RADIUS, thus making it fit better inside the limited RAM found in the router. >Only crazy ppl would do anything remotely >sensetive on such a connection, Are you calling all my customers crazy? Most don't have the slightest clue what's considered "sensitive" or should not be run over an unencrypted session. >which makes straght 802.11 a toy for >kids. I fail to see the logic, but you're entitled to your opinion. Works nicely in the Wii so it must be a toy. >Not that I would dare to as much as remotely control a Markin >train using 802.11. I have to say, digging into 802.11 has been a >great disappointment. With all due respect, I don't think you've done any digging into how 802.11a/b/g/n/i/k/etc works. Sure, there are problems, but they're fairly minor compared to the 99.99% of the features and functions that work as expected. Sure, it can be done better as one would expect some progress in the last 10 years. Look at WiMax for an example of how to do it right. >They who develope this line of products, are >they all kids finding communication without wire so fascinating they >forget to be serious, at all!? Nope. The developers are all quite serious. You'll find a list of names attached to the various 802.11 documents on the IEEE web site. However, if you plan on continuing this discussion, you might find it more productive to not insult those who are trying to answer your questions. >Anyways, thanks for all your information and leads. I can now hurry >away to my conclucion. I will not use another dime supporting our >hotspot network, before there is an easy way to protect against >snffing. I do not consider setting up a RADIUS connection on the >client side to be easy. It's trivial on the client side. It's the server side that's complex. >I will wait until the only information that >needs to be put into a client is a pass phrase after chosing an SSID >(with a signature fingerprint so that nobody can fake a trusty >network), and that's it. When this is done, everyone should be >protected from WLAN sniffing. I've had rather bad luck getting clueless customers to use the fingerprint readers on their laptops. >If the 802.11 guys are not able to do >this, they are not worth my time. Not a problem. I'm sure your employer will appreciate your limited efforts on their behalf. >Ten years of developement, and not >even solving this straight forward problem/solution, I would be >ashamed! Yep. Now, roll back the clock to 1995 (when 802.11 was originally inscribed) and try to remember what personal computing was like at the time. I suspect that nobody could have predicted the current technology and applications. It's now 2008. Could I trouble you to tell me what security protocols, encryption technology, and applications support will be required for the wireless products of 2018? Take your time. -- # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060 # 831-336-2558 jeffl(a)comix.santa-cruz.ca.us # http://802.11junk.com jeffl(a)cruzio.com # http://www.LearnByDestroying.com AE6KS
From: John Navas on 5 Dec 2008 21:32
On Fri, 5 Dec 2008 17:34:29 -0800 (PST), Chrisjoy <ultralibertarianer(a)gmail.com> wrote in <104c61e0-3ab4-4f7f-aa2b-a3dcbdfb3ced(a)f3g2000yqf.googlegroups.com>: >The only thing you can read into my text when it comes to lack of >knowledge is what is in my first meassage where I ask how to protect >clients from eachother. I didn't know this, and that's why I asked. 1. Your other messages make it painfully clear that you lack knowledge of fundamental security matters like RADIUS authentication. 2. Your diatribe about not protecting wireless clients from each other is misplaced -- there are a number of products with that capability, as was pointed out to you. As a reminder, the common term is "wireless isolation". <http://wireless.navas.us/wiki/Wi-Fi#Wireless_Isolation> -- Best regards, John Navas <http:/navasgroup.com> "A little learning is a dangerous thing." [Alexander Pope] "It is better to sit in silence and appear ignorant, than to open your mouth and remove all doubt." [Mark Twain] "Being ignorant is not so much a shame, as being unwilling to learn." [Benjamin Franklin] |