Discussion on:
View:
Show:
I've been trying to spread the word on what's real wireless LAN security and what's not. Can we put these wireless LAN security myths to sleep already? It seems like every few months someone comes out and pulls out the same old myths like snake oil.
Shouldn't we be asking ourselves "What am I trying to protect?"?
And wouldn't the answer be "Our Data"?
It would seem to me that protecting the data should be far more important than protecting the network it travels across.
And wouldn't the answer be "Our Data"?
It would seem to me that protecting the data should be far more important than protecting the network it travels across.
If you implement my advice you are protecting everything. That includes your network, your laptop seepage profile, and your data.
"It lasts until the next generation of hackers is born."
That's a knee jerk response with no validity to it. If you understand how cryptography works, you wouldn't say that.
Good crypto lasts many decades without any kind of break. DES for example is more than 30 years old and it still doesn't have any flaws other than the bit size which has been fixed with tripple DES. WPA/WPA2 uses TKIP and AES encryption.
That's a knee jerk response with no validity to it. If you understand how cryptography works, you wouldn't say that.
Good crypto lasts many decades without any kind of break. DES for example is more than 30 years old and it still doesn't have any flaws other than the bit size which has been fixed with tripple DES. WPA/WPA2 uses TKIP and AES encryption.
"it lasts until the next generation of hackers is born."
I'd say, until the next generation of "CRACKERS" is born rather then implying that all hackers are criminal. That's a side point though and perhaps more an indication of lacking knowledge on your part. (a security proffessional that doesn't know something about hacker history? bahahahaa.)
Grammatical choices aside; are not a number of the *new* vulnerablilities simply things that are old enough for *new* administrators to never have known and old admin to have forgotten? (consider your favourit social engineering ploy for a moment) I'm sure I read that in a book just the other ady; a real live physical book written on pressed plant matter and everything (BIN 1931769508).
Old flaws get forgetten and become new again so it's important to remember your history and continue good security practices.
New flaws get discovered and patched. If this generation missed a flaw, it'll be hardened or exploited by the next.
Neither fact of life is reason to just give up. When WPA becomes breakable by your lesser than average scrypt kiddie, you'll just have to go out and buy new hardware or install a new firmware upgrade.
I'd say, until the next generation of "CRACKERS" is born rather then implying that all hackers are criminal. That's a side point though and perhaps more an indication of lacking knowledge on your part. (a security proffessional that doesn't know something about hacker history? bahahahaa.)
Grammatical choices aside; are not a number of the *new* vulnerablilities simply things that are old enough for *new* administrators to never have known and old admin to have forgotten? (consider your favourit social engineering ploy for a moment) I'm sure I read that in a book just the other ady; a real live physical book written on pressed plant matter and everything (BIN 1931769508).
Old flaws get forgetten and become new again so it's important to remember your history and continue good security practices.
New flaws get discovered and patched. If this generation missed a flaw, it'll be hardened or exploited by the next.
Neither fact of life is reason to just give up. When WPA becomes breakable by your lesser than average scrypt kiddie, you'll just have to go out and buy new hardware or install a new firmware upgrade.
Whenever people start talking cynical that everything's breakable, I must point out reality. DES has been around for more than three decades and it doesn't have any cryptanalysis weaknesses to date. WPA has been around for 5 years now and it has never been broken to date. WEP on the other hand was designed to be weak during the late 90s so that it can get past export bans.
Oh it's a pretty piece of gear. Some genious took a notebook, maxed out the usb bus with wifi NICs then built in a custom linux install to scan log and decrypt any wifi signal that passes by. It can audit something like 200 wifi sources a second or some stupidly high rate like that.
I'm with you though, when people start talking cynical about security, they're just looking for excuses to not be secure; "oh, we don't bother with that practice since those punk kids will just find a way around it anyhow."
I may have to rethink the "hide your SSID" advise I've been posting all through the comments here however after considering your point. One source router blasting noise into space versus multiple client nodes blasting that information into space.
Am I correct in concluding that a clients attached to a router without hidden SSID function statically so I'm not just getting a router plus my clients advertising the network?
I'm with you though, when people start talking cynical about security, they're just looking for excuses to not be secure; "oh, we don't bother with that practice since those punk kids will just find a way around it anyhow."
I may have to rethink the "hide your SSID" advise I've been posting all through the comments here however after considering your point. One source router blasting noise into space versus multiple client nodes blasting that information into space.
Am I correct in concluding that a clients attached to a router without hidden SSID function statically so I'm not just getting a router plus my clients advertising the network?
The beacon is only 1 of 5 mechanisms that transmits the SSID in clear text. If you disable the beacon, you force every client to probe every 60 seconds where ever they go (or when ever they turn on).
I those terms, I can see how a single router calling out is less exposure than multiple clients calling out constantly.
For a business, I can see the benifit. You don't want your workstations wondering around town announcing your SSID constantly. Your also a business so displaying your presence and claming a channel works to your benifit.
Also, in a business setting your dealing in a highly active environment where anything providing false security is a waste of resources and possible blind spot if a snooper happens past.
For home, I'd still look at hiding SSID but again, this is primarily an ettiquet thing. I don't want to display my presence blatantly any more than I want to stand at my front door repeating my name over and over. Also, you have a limited number of mobile workstations traveling limited distances. Unless one is thinking that SSID hiding on it's own is security, doing so can't hurt.
Thank you for the clarification on this one though. I've pleanty to learn about wifi (this was so much easier when it was just a wired nic to know inside and out).
For a business, I can see the benifit. You don't want your workstations wondering around town announcing your SSID constantly. Your also a business so displaying your presence and claming a channel works to your benifit.
Also, in a business setting your dealing in a highly active environment where anything providing false security is a waste of resources and possible blind spot if a snooper happens past.
For home, I'd still look at hiding SSID but again, this is primarily an ettiquet thing. I don't want to display my presence blatantly any more than I want to stand at my front door repeating my name over and over. Also, you have a limited number of mobile workstations traveling limited distances. Unless one is thinking that SSID hiding on it's own is security, doing so can't hurt.
Thank you for the clarification on this one though. I've pleanty to learn about wifi (this was so much easier when it was just a wired nic to know inside and out).
Using draft 1.0 802.11n gear is being a bad neighbor since you?re jamming ever channel in the 2.4 GHz spectrum and preventing others from using Wi-Fi. Beaconing SSID is not bad at all and it has zero adverse effects on your neighbor since you?re only broadcasting every 100 ms. The fact that your SSID shows up on their laptop doesn?t really matter since they can?t connect to it anyways. The fact that you?re not broadcasting your SSID doesn?t prevent your signal from encroaching their air space since that?s the nature of RF.
The best thing you can do to be a good neighbor is to use a channel that your neighbor isn?t using and that helps your performance as well as your neighbor?s performance. If your neighbors are on channel 6 and 11, use channel 1. Note that only 1, 6, and 11 are valid. This is the kind of advice you can use that has a real positive impact. Not broadcasting your own SSID doesn?t do anything to improve performance, all it does is break a properly designed wireless network and it makes life difficult for the clients.
The best thing you can do to be a good neighbor is to use a channel that your neighbor isn?t using and that helps your performance as well as your neighbor?s performance. If your neighbors are on channel 6 and 11, use channel 1. Note that only 1, 6, and 11 are valid. This is the kind of advice you can use that has a real positive impact. Not broadcasting your own SSID doesn?t do anything to improve performance, all it does is break a properly designed wireless network and it makes life difficult for the clients.
Anyone who's had a wifi running for more than a month has probably had there channel overcrouded. I've long considered Cain&Abel an admin tool though so the first thing I do when my Wifi goes screwy is check the scanner and see how crowded my channel is.
In a previous apartment, I was across from a school who aperently ran a wifi router or multiple machines Ad-Hock. Any time my channel went screwy, I could pop up the scanner and watch the Ad-Hock calls stack-up.
In a more friendly time I would have jumped on the network and got a message through to the admin but that kind of unapproved "auditing" is taken badly these days.
Crap, that's right though.. 11n is multichannel to get through structural blocks and network noise. Ha, I guess that would DOS the local area by eating all possible channels. My recommendation of 11n hardware is still for the better hardware and latest firmware more than 802.11n itself. I'd just set the router to 11g then take advantage of any other features not in my old router.
Thanks though. That was something I hadn't considered previously. Actually, the initial article and resulting comments are part of what motivated me to finally take ten minutes and install OpenWRT. Sweet Damn is it fantastic; and that's before installing the apps to run SSID and Channel scans on the router from any non-wifi machine on my network.
A question for another time; Wifi reset network security back to where wired security was almost a decade ago. Has wifi and (by association) network security returned to where it was before wifi or are we still catching back up to it?
In a previous apartment, I was across from a school who aperently ran a wifi router or multiple machines Ad-Hock. Any time my channel went screwy, I could pop up the scanner and watch the Ad-Hock calls stack-up.
In a more friendly time I would have jumped on the network and got a message through to the admin but that kind of unapproved "auditing" is taken badly these days.
Crap, that's right though.. 11n is multichannel to get through structural blocks and network noise. Ha, I guess that would DOS the local area by eating all possible channels. My recommendation of 11n hardware is still for the better hardware and latest firmware more than 802.11n itself. I'd just set the router to 11g then take advantage of any other features not in my old router.
Thanks though. That was something I hadn't considered previously. Actually, the initial article and resulting comments are part of what motivated me to finally take ten minutes and install OpenWRT. Sweet Damn is it fantastic; and that's before installing the apps to run SSID and Channel scans on the router from any non-wifi machine on my network.
A question for another time; Wifi reset network security back to where wired security was almost a decade ago. Has wifi and (by association) network security returned to where it was before wifi or are we still catching back up to it?
Good Wi-Fi is TKIP or AES encrypted and there's access control on who gets in and who doesn't.
Wired means anyone can usually come in and plug in to your network with zero access control. Few people implement 802.1x for wired networks and only now does Vista permit you to do automated 802.1x for wired connections. But even if you do use 802.1x access control, you still get no encryption. Wired networks can be tapped and it's even possible to tap it from the signal leakage of UTP cabling (with right equipment). There are even methods of tapping fiber optic cabling.
So you have it backwards, Wi-Fi is more secure than wires.
Wired means anyone can usually come in and plug in to your network with zero access control. Few people implement 802.1x for wired networks and only now does Vista permit you to do automated 802.1x for wired connections. But even if you do use 802.1x access control, you still get no encryption. Wired networks can be tapped and it's even possible to tap it from the signal leakage of UTP cabling (with right equipment). There are even methods of tapping fiber optic cabling.
So you have it backwards, Wi-Fi is more secure than wires.
once again, it's in the wording used. Your point is very good, do not get me wrong on this. BUT
"Wired means anyone can usually come in and plug in to your network with zero access control."
While this is Normally true, here is my problem with the statement.
A wired network requires physical access to the network.
A wired network CAN be secured just as well or more-so
A wired network CAN be easier to trace/track an attack or offending computer/user.
Other than that, I do agree with your post. Wi-Fi can be very secure and in many cases is more secure than wired connections from a regular (standard) setup.
"Wired means anyone can usually come in and plug in to your network with zero access control."
While this is Normally true, here is my problem with the statement.
A wired network requires physical access to the network.
A wired network CAN be secured just as well or more-so
A wired network CAN be easier to trace/track an attack or offending computer/user.
Other than that, I do agree with your post. Wi-Fi can be very secure and in many cases is more secure than wired connections from a regular (standard) setup.
Wireless means someone sitting across the street in a comfy car has access to your virtual wires. It goes through walls without a simple way of controlling the signal blob in space.
Wired means someone has to get into your building and find an open port. If your building is that insecure then you have other issues though your likely to notice a random network cable running out your window to the neibour's kid's bedroom.
In terms of logical networking, WiFi has encrypted transmission and authentication at the router where wired is an open signal contained in a metal medium and only authenticated if you setup a server for LDAP, AD or whatever you choose.
Logically, wired is less secure than wifi because wifi inherently needs encryption.
Physically, wired is more secure than wifi because someone has to walk through your door and plug into your router.
For businesses, it's a tossup perhaps. As a home user, I'm going to notice a stranger sitting on my couch and probably welcome them with a bokken in hand.
That's why I say that wired is still and will continue to be more secure than the ghost blob that carries the wifi connections. I happily use Wifi at home but I still keep router administration limited to a wired workstation.
Wired means someone has to get into your building and find an open port. If your building is that insecure then you have other issues though your likely to notice a random network cable running out your window to the neibour's kid's bedroom.
In terms of logical networking, WiFi has encrypted transmission and authentication at the router where wired is an open signal contained in a metal medium and only authenticated if you setup a server for LDAP, AD or whatever you choose.
Logically, wired is less secure than wifi because wifi inherently needs encryption.
Physically, wired is more secure than wifi because someone has to walk through your door and plug into your router.
For businesses, it's a tossup perhaps. As a home user, I'm going to notice a stranger sitting on my couch and probably welcome them with a bokken in hand.
That's why I say that wired is still and will continue to be more secure than the ghost blob that carries the wifi connections. I happily use Wifi at home but I still keep router administration limited to a wired workstation.
I would say for almost all setups, wired is less secure.
Wireless is more secure in a business environment, or where people regularly come/go. Wi-Fi is also more manageable in many ways, like requiring a VPN to access the resources and WPA to connect.
Most of my posts on the matter are referring to a home network. Maybe I should state that more in my posts. Obviously, you wouldnt let just anyone walk in and plug into your wired net without noticing....
That said, the average (standard) setup, Wi-Fi is more secured. BUT, for more technical people or businesses that really secure their networks, wired can be more secure than Wi-Fi.
Wireless is more secure in a business environment, or where people regularly come/go. Wi-Fi is also more manageable in many ways, like requiring a VPN to access the resources and WPA to connect.
Most of my posts on the matter are referring to a home network. Maybe I should state that more in my posts. Obviously, you wouldnt let just anyone walk in and plug into your wired net without noticing....
That said, the average (standard) setup, Wi-Fi is more secured. BUT, for more technical people or businesses that really secure their networks, wired can be more secure than Wi-Fi.
I want to go wireless on my home network, but I have backed off multiple times because I just don't have trust as yet.
George, you have basically blown out of the water some of my basic understandings on securing this network. Ie, mac address and a few others.
I want to go wireless 2 machines, with one more staying wired(FreeBSD file server). I live in an apartment building and don't want the yahoo's bailing on my bandwidth let alone sniffing my traffic.
Ok, question 1. How do I stop them stealing my bandwidth. Thought this was done through the mac id's of the machines that belong.
Question 2. What home router offers the encryption that you are talking about?
Dan
George, you have basically blown out of the water some of my basic understandings on securing this network. Ie, mac address and a few others.
I want to go wireless 2 machines, with one more staying wired(FreeBSD file server). I live in an apartment building and don't want the yahoo's bailing on my bandwidth let alone sniffing my traffic.
Ok, question 1. How do I stop them stealing my bandwidth. Thought this was done through the mac id's of the machines that belong.
Question 2. What home router offers the encryption that you are talking about?
Dan
Answer 1.
Using WPA-2 as suggested should make you safe enough. On a home network it should be fine to hide the ssid and use mac filtering. Remember, if someone really wants to get in, they will (wired or wireless). So the more that you can do, the better.
If you plan to have guests using your wireless as well, then mac filtering is not the best idea (more overhead).
Answer 2
Most of the brands for home routers have the ability to use WPA-2. Setting it up and getting the right SW installed on your system is the hardest part. But it should be a breeze anyway.
Using WPA-2 as suggested should make you safe enough. On a home network it should be fine to hide the ssid and use mac filtering. Remember, if someone really wants to get in, they will (wired or wireless). So the more that you can do, the better.
If you plan to have guests using your wireless as well, then mac filtering is not the best idea (more overhead).
Answer 2
Most of the brands for home routers have the ability to use WPA-2. Setting it up and getting the right SW installed on your system is the hardest part. But it should be a breeze anyway.
I don't allow apple computers on my network.
bahahaha.. ok, that amused me more than anyone else. I'm ok with that.
Actually, I manually ad guest mac addresses through my wired admin client. I have too few single-visit guests for adding/removing mac to be an issue and a few repeat-visit guests where I just leave the mac in the filter.
bahahaha.. ok, that amused me more than anyone else. I'm ok with that.
Actually, I manually ad guest mac addresses through my wired admin client. I have too few single-visit guests for adding/removing mac to be an issue and a few repeat-visit guests where I just leave the mac in the filter.
but for some it can be an issue. So, I usually state that if other people are going to connect, and they do not want the overhead, then not to use mac filtering.
Yeah, kinda funny. It threw me for a minute "I don't allow apple computers on my network."
Yeah, kinda funny. It threw me for a minute "I don't allow apple computers on my network."
I can see manualy managed mac filtering being an issue in a business with many wifi workstations. Inet Cafe's would not be a good place for mac filters either. Universities enter the mac when you register for there network usually so that works too.
Business clients would need a slick, shinny solution though so your looking at something that will "scale" (as they say).
Guess it really comes down to; does the client want security or does the client want to play at security. Either way, it's there network, we can only inform and ablidge.
Business clients would need a slick, shinny solution though so your looking at something that will "scale" (as they say).
Guess it really comes down to; does the client want security or does the client want to play at security. Either way, it's there network, we can only inform and ablidge.
There are burdens to some models, especially ones that require a lot of overhead to control like MAC filtering. The tasks can be made simpler, but on a larger network, it is a bad idea to implement in 'most' cases.
But the best security for a wireless network is to use WPA2 and a VPN. For home use I recommend MAC filtering (depending on the situation) and hiding the SSID and using WPA or WPA2.
But the best security for a wireless network is to use WPA2 and a VPN. For home use I recommend MAC filtering (depending on the situation) and hiding the SSID and using WPA or WPA2.
WPA or WPA2 with 10+ character random alpha-numeric passphrase. You're done. That's the advice I gave in the blog and that's the advice I give to everyone. Nothing to worry about at least from a WLAN security perspective.
I know you can use 63 characters with special characters. The problem is that some Wi-Fi gear with get tripped up on some special characters and you'll be racking your brain trying to troubleshoot the problem. I also tell people 10 characters because it's sufficient and I specially tell people the work-factor involved. If I demand 63 characters then it becomes harder to manage and fewer people will use it and that's the last thing I want. What I want is to make it as easy as possible with 10 characters and forget the VPN and forget the MAC filtering and all the other junk. This is the KISS principle to get as many people to use good security as possible.
It?s pointless to play the one-up game and demand more and more of the user. There?s a tendency for security consultants to want to sound smart and the more they demand from the user the smarter they think they are. I?m going to buck that trend and tell you what you need to keep people from breaking your wireless LAN unless they?re willing to dedicate 100 years using one thousand quad core computers to break your key. If you got that much money and time and you?re dumb enough to try and brute force my 10-character WPA key, be my guest.
It?s pointless to play the one-up game and demand more and more of the user. There?s a tendency for security consultants to want to sound smart and the more they demand from the user the smarter they think they are. I?m going to buck that trend and tell you what you need to keep people from breaking your wireless LAN unless they?re willing to dedicate 100 years using one thousand quad core computers to break your key. If you got that much money and time and you?re dumb enough to try and brute force my 10-character WPA key, be my guest.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
