Discussion on:
View:
Show:
I would like to know at what level of encryption the WEP security was set? As I do have clients with wireless in place and some have been set to 128 bit and other are at 156 bit encryption.
The article at Tom's Networking indicates it was 128 bit WEP. Cracked in 3 minutes in an environment with numerous fake APs to increase the challenge.
Having looked at the tools they used in Auditor's Security Collection, a linux distro in live cd format, I can't imagine 156 bit would add too much to the amount of time required to crack it.
One of the tools they used, Aircrack, will test/adapt to different levels of encryption of the fly.
They (FBI) did indicate that it usually takes "5 to 10 minutes" to crack.
Having looked at the tools they used in Auditor's Security Collection, a linux distro in live cd format, I can't imagine 156 bit would add too much to the amount of time required to crack it.
One of the tools they used, Aircrack, will test/adapt to different levels of encryption of the fly.
They (FBI) did indicate that it usually takes "5 to 10 minutes" to crack.
We use wireless in 3 mobile wireless labs on campus. We use a radius server, WPA, and a Certificate Authority. It's time consuming to set up but it's worth the security. This way a client would need the WPA key, a certificate, and also a domain account.
you need to take another look at Network Security both wired and wireless. Both are at risk. Some of the biggest Network breakins were on wired systems. All LAN & WAN are subject to breakins. So why are we focusing on Wireless as the week link. Hey do you have Anti-virus software on your wired Network if so why.
I didn't really see any recommendations as to the solutions to this problem. Care to suggest?
If your setup supports WPA-PSK encryption, use it! - This version of WPA uses a PSK (Pre-shared Key) for authentication, so you don't need a Radius Server. All Wireless stations need to use the same PSK (Pre-shared Key). Data transmissions are encrypted using a 256 Bit key derived from the PSK. This key changes regularly, providing greater protection. WPA is more secure than WEP, and should be used if possible. I use this with a Netgear wireless router.
I have written a small (free) utility to generate a maximum length WPA key composed of random bytes. This is intended to improve the security and remove the possibility of dictionary attacks. It can be found here http://www.soroban.co.uk/wepkeygen.htm
Is the only solution to replace older 802.11b hardware with a new 802.11i router? Or can this WEP vulnerability be dealt with somehow with software?
Besides 802.11i, you can also always try limiting which MAC addresses from which you'll accept connections (if your hardware supports MAC filtering), use static IPs with only certain IP addresses being allowed to connect (if your router and/or firewall allow that functionality), and take other precautions. None of this does anything about the WEP failings themselves, though: they just involve plans for what to do for security in case someone cracks your WEP key.
Keep in mind, though, that these techniques will only slow down the most casual (or stupid) of attackers. They are almost useless in ensuring wireless network security. If you can use WPA on your wireless network, do so.
Another option, of course, is simply to give up on wireless security and set up wired network segments with better security that, perhaps, connect to each other by way of the wireless network. If that's what you do, be aware that anything communicated between those network segments will effectively be in the clear for anyone to pick up, including any authentication you may use for the wired segments that gets transmitted between segment. You can then separately firewall and authenticate each wired network segment, though. This sort of added layer of security can also be used IN ADDITION TO wireless security efforts, and is actually a good idea if your networking needs allow for it.
Keep in mind, though, that these techniques will only slow down the most casual (or stupid) of attackers. They are almost useless in ensuring wireless network security. If you can use WPA on your wireless network, do so.
Another option, of course, is simply to give up on wireless security and set up wired network segments with better security that, perhaps, connect to each other by way of the wireless network. If that's what you do, be aware that anything communicated between those network segments will effectively be in the clear for anyone to pick up, including any authentication you may use for the wired segments that gets transmitted between segment. You can then separately firewall and authenticate each wired network segment, though. This sort of added layer of security can also be used IN ADDITION TO wireless security efforts, and is actually a good idea if your networking needs allow for it.
No offense- you make an interesting (if belabored) point - OK so wireless is insecure - we all know that, and if we do not your article still does not help. You offer no solutions - just vague suggestions - this is not "Business Weekly" the WSJ or "Technology Trands" this is Tech Republic - we are already technicians and are looking for technical solutions to our issues - not another article that offers no real information , much less solutions.
Thanks for nothing.
P.S. Sorry to sound so harsh, but I want my 3 minutes back.
Thanks for nothing.
P.S. Sorry to sound so harsh, but I want my 3 minutes back.
There seems to be quite a need to throw stones at wireless networking, due to the lack of "locked down" security. The users of wireless are either choosing to forgo the security or are surely aware that if they are not employing a tunneling protocol they are allowing their data to be transmitted in open clear text. If there is no new information to be added then why not let this dog be?
blu97ram
SE CWNA
blu97ram
SE CWNA
Couldn't you at least have posted some links to the solutions you mention if you're too lazy to elaborate yourself? I doubt there is any IT person unaware or wireless insecurity, and your troglodyte response to eschew wireless technology is just plain impractical.
I do not think wireless will go away. The possibility to quickly set up a network inside a building or out in the field for a deployment instead of waiting for cabling and ducting to be laid should not be rejected. Some balance must be found that will allow for the free flow of information so work can be done and the legitimate need for security. Before any network deployment, wired or wireless, a risk analysis needs to be performed. The possible threats, the probability of occurance and and the potential damage need to be weighed against the available resources. Security tools, many of which were mentioned in the article, should then be applied according to the conclusions of the risk analysis. It comes down to how much risk one is willing to live with in order to cost effectively get the job done.
Obviously the author if this article doesn't read the *other* articles on TechRepublic, or he might have seen this one: which explains a little bit about WPA and how it fixes the security problems with WEP. 
Essentially WPA (not WPA-PSK, which is slightly different), is a combination of WEP, 802.1x authentication, TKIP, and MIC. Together, these technologies offer per-user authentication, two levels of key rotation, and an enhanced packet integrity check.
To understand why WPA fixes WEP, it helps to first understand what's wrong with WEP. WEP actually uses the same base encryption algorithm as the venerable and highly trusted SSL standard (used for https secure web pages for example). The problem lies in the weak algorithm that WEP uses to do per packet key rotation. This key rotation is weak enough that it's possible, after gathering enough encrypted packets, to predict the key rotation and decrypt subsequent traffic. (see this URL for far more detail: )
802.1x authentication is part of the WPA standard, but can also be used without WPA, provides three advantages over WEP alone. The first is that 802.1x eliminates the problem of distributing and redistributing one static WEP key to every user. How it does this is closely tied to the second advantage of 802.1x. 802.1x authenticates users attempting to connect to the wireless Access Point against a Radius server. The Radius server can then, of course, backend that authentication to almost any enterprise authentication store (AD, NDS, etc). The third advantage that 802.1x provides is that each user is given a seperate, unique WEP key, and you can do primitive but effective key rotation by timing out the users login session. The client will re-connect in the background and the user will get a new WEP key. It sounds clumsy, but works quite well in practice.
With 802.1x and WEP, breaking WEP becomes very difficult. Aside from the key rotation (usually set to 5-30 minutes by most admins), there is the practicle issue that none of the current WEP cracking tools are smart enought to see when they key rotates or to see that each user has a different key. The result is that the attacker wastes his time on the mathematically impossible task of taking packets encrypted by more than one WEP key and attempting to crack one single WEP key that will "fit" all of them.
TKIP adds an enhanced per-packed key rotation (making WEP cracking even more unlikely) and MIC provides an enhanced packet integrity check (to prevent packet alteration and man-in-the-middle attacks).
The combination of these three technologies makes WPA potentially *more* secure, not less secure than a wired connection (do *you* authenticate users on your wired ethernet connections? Most companies don't).
Now there are still to remaining legitimate concerns about wireless networks. One is that they indeed are lower bandwidth than wired ethernet connection. The second is that it is not only possible, but easy to create a local denial of service. The simplest and most difficult to block denial of service would be a high volume radio transmitter in the 2.4Ghz (or for 802.11a, 5Ghz) range. For these reasons, I recommend wireless as an *addition* to wired connectivity. Wireless is great for meeting rooms, for impromptu workgroups and other circumstances where roaming about the building is desirable. But all critical users should have a wired connection at their desk.
Essentially WPA (not WPA-PSK, which is slightly different), is a combination of WEP, 802.1x authentication, TKIP, and MIC. Together, these technologies offer per-user authentication, two levels of key rotation, and an enhanced packet integrity check.
To understand why WPA fixes WEP, it helps to first understand what's wrong with WEP. WEP actually uses the same base encryption algorithm as the venerable and highly trusted SSL standard (used for https secure web pages for example). The problem lies in the weak algorithm that WEP uses to do per packet key rotation. This key rotation is weak enough that it's possible, after gathering enough encrypted packets, to predict the key rotation and decrypt subsequent traffic. (see this URL for far more detail: )
802.1x authentication is part of the WPA standard, but can also be used without WPA, provides three advantages over WEP alone. The first is that 802.1x eliminates the problem of distributing and redistributing one static WEP key to every user. How it does this is closely tied to the second advantage of 802.1x. 802.1x authenticates users attempting to connect to the wireless Access Point against a Radius server. The Radius server can then, of course, backend that authentication to almost any enterprise authentication store (AD, NDS, etc). The third advantage that 802.1x provides is that each user is given a seperate, unique WEP key, and you can do primitive but effective key rotation by timing out the users login session. The client will re-connect in the background and the user will get a new WEP key. It sounds clumsy, but works quite well in practice.
With 802.1x and WEP, breaking WEP becomes very difficult. Aside from the key rotation (usually set to 5-30 minutes by most admins), there is the practicle issue that none of the current WEP cracking tools are smart enought to see when they key rotates or to see that each user has a different key. The result is that the attacker wastes his time on the mathematically impossible task of taking packets encrypted by more than one WEP key and attempting to crack one single WEP key that will "fit" all of them.
TKIP adds an enhanced per-packed key rotation (making WEP cracking even more unlikely) and MIC provides an enhanced packet integrity check (to prevent packet alteration and man-in-the-middle attacks).
The combination of these three technologies makes WPA potentially *more* secure, not less secure than a wired connection (do *you* authenticate users on your wired ethernet connections? Most companies don't).
Now there are still to remaining legitimate concerns about wireless networks. One is that they indeed are lower bandwidth than wired ethernet connection. The second is that it is not only possible, but easy to create a local denial of service. The simplest and most difficult to block denial of service would be a high volume radio transmitter in the 2.4Ghz (or for 802.11a, 5Ghz) range. For these reasons, I recommend wireless as an *addition* to wired connectivity. Wireless is great for meeting rooms, for impromptu workgroups and other circumstances where roaming about the building is desirable. But all critical users should have a wired connection at their desk.
First let me say that when it comes to wireless I am next to clueless. Having said that my boss wants me to add wireless capability to our wired network. One of the electronics engineers told him that to secure the network all you have to do is put a list of the accepted MAC addresses of any wireless device in the router/switch/hub and all others will be automatically blocked.
Is this right? Any info is greatly appreciated.
Is this right? Any info is greatly appreciated.
The EE who told you that apparently knows NOTHING about wireless security (or network security for that matter). MAC addresses can be *very* easily spoofed. There are a large number of easy to use wireless sniffers and MAC address spoofers that will allow even "script kiddies" to quite easily sniff your wireless traffic, find out the MAC address of a system allowed on your wireless, then spoof the MAC address of that system.
MAC address blocking is a waste of time PERIOD. There MOST effective way to secure your wireless network is WPA (and WPA2 of course).
MAC address blocking is a waste of time PERIOD. There MOST effective way to secure your wireless network is WPA (and WPA2 of course).
Thanks for the info! I can see I've got alot of reading ahead of me (My boss refuses to pay for training or even give me the time off for training if I pay for it!)
Any suggestions for detailed books/sites?
Thanks again!
Any suggestions for detailed books/sites?
Thanks again!
I wouldn't say that "MAC address blocking is a waste of time PERIOD," as you have. Rather, I'd say that it's a waste of time in keeping out any attacker with a bare minimum of sophistication to his techniques. It is, however, an extra layer of security, which is (all else being equal) never a bad thing. As much as it looks like a waste of time, I'd recommend using MAC filtering on any network where you will have a predetermined set of connecting systems that will never (or almost never) change, as once it is set up your MAC filtering will then not need to be micromanaged and, as I said, an extra layer of (however weak) security is not a bad thing.
It certainly won't hurt, as long as you don't use it as a replacement for better options.
It certainly won't hurt, as long as you don't use it as a replacement for better options.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
