Well I am slowly putting in more and more wireless networks and am trying to work out the most secure way to implement them.
From just driving around my local town I am suprised to find the amount of un-encrypted networks that are easily joined. I have been looking into WEP cracking and have now seen that it's easily done (http://www.securityfocus.com/infocus/1814).
I am now looking at WPA-PSK which seems to be better but I have found that you can use dictionary attacks against this wireless encryption.
I currently use 128bit WEP and MAC address filtering but would like to know what else you can implement. Would WPA-PSK be stronger than WEP although for older clients 802.11b networks don't appear to have any WPA capabilities.
So what can you do?
What setup should be used for you to have secure wireless network?
I'd use WPA and MAC filtering unless you can afford to go to EAP-FAST or PEAP, which can be costly and admin intensive. Place your APs outside your firewall so you can block what you can and do extensive logging.
Or VPN in, but even IPSEC VPNs can be hacked.
While these is no secure wireless, put up a good fence so that the attacker will go to the next network and leave yours alone.
Well, here's the list I'd use for protecting wifi access
* don't broadcast the SSID (although it still can be discovered when clients are connected to the AP)
* use MAC filters on your AP
* use WPA
* Use an IPSEC VPN (preferably with strong authentication) on top of the wifi access
I've seen people implement different wireless (in)security ;) measures, from PEAP to TLS/EAP and WEP/MAC-Filtering. Most require a fair amount of setup, as beardednose mentioned.
IMO, a fair solution to wireless security, at the moment, may lie in implementing a radius server. Radius servers support a variety of security measures, this one just happens to have screenshots of the PEAP implementation.
Has anyone tested the tools listed in this document. I am fairly well versed with Kismet but I hadn't heard of these newer tools. Of course I probably haven't been paying that much attention with the job change. I am going to use an older laptop and test some of this informaion out. Might be fun, I will post my results if I have any.
I would also recommend looking at wireless as a "least privilege" network. Since we all know that if someone really wants to get in..they'll get in...just plan to be hacked and minimize damage by:
1) Setting up the wireless network as a DMZ...completely separate from desktops, servers, etc. - ISOLATION is key. If they get in..leave them nothing fun to do!
2) Restricting outgoing traffic...perhaps ALL traffic (which leads into the next point)
3) Use an HTTP proxy that requires authentication (for bonus points, have AV protection on the proxy so all content is scanned before being delivered to the browser).
Obviously, use all the suggestions mentioned by others to secure your wireless, but beyond that, use the suggestions above as guidance for minimizing your losses should an unauthorized and malicious user get in.
On my wireless networks, I assume they are 100% compromised (or compromisable) at all times and secure the networks as such.
You may want to consider using Share Watch to see whos on what ,as well as AirSnare which is a Wireless IDS.
When 802.11i is sold you'll have a better function for security then you would with the standard wireless available. You can read more about that at NWFusion
If you've been bitten by the wireless bug and want to know whats happening in the wireless world a source of information for you would be Fierce Wireless
- WPA 128bit
- put your wireless access points into a DMZ, and have your wireless users tunnel into your network using a VPN
- turn off DHCP
- don't forget to change the default password on your access point or wireless router. B)
- not only disable SSID broadcast, also rename SSID
- change channel
- disallow administration via wireless
- MAC address filtering
@ BN From the initial post. (http://www.securityfocus.com/infocus/1814).
Quick update, it took forever to get a 802.11g card to work with kismet. I finally loaded a linux distro with a 2.6 kernel which has support for the prism54 cards built in. Collected 50k worth of encrypted packets and started aircrack against it. 14 hours later still no crack. I realize the number of packets collected is far less than some collected in the examples page. Also hindering my efforts was the fact that no weak IV packets were captured. I will recollect data at work next week. I am sure the sales dept, has a bunch of older nics that will give me better data to work with.
In addition to the items listed, consider...
Any WEP key can be cracked. The more "random" your key is may slightly help but this is really only true against a dictionary attack.
*EAP can be a pain to admin and has it's own security problems.
WPA is vulnerable to a DoS against the entire AP (on most implementations).
RADIUS isn't really going to provide any protection for the data and has to be configured carefully to avoid common mistakes.
IPSec VPNs, SSL VPNs, etc... are good but take time, hardware, and have to be maintained to be effective. Also some are vulnerable to certain MITM attacks.
MAC filtering will stop people from stumbling on to your network but is trivial to defeat.
Disabling SSID broadcast is a best practice but it does not really hide you from anything.
Disallow admin access from wireless network -- one of the best ideas I've heard all day!
DMZ the AP -- another good idea
Can also consider tunneling everything through SSH/SSL tunnels from the end user through the AP to another gateway.
While may of these defenses are marginal, they all should be looked at and considered. There is no real bulletproof way to defend your wireless network besides turning it off. Layer as many of these as possible and you are protecting yourself as much as you can.
Also consider what the importance of the data is and how likely you are of being attacked by someone who knows how to defeat these measures and has the time to be in range of your network and do it.
Alright, I have 100,000 encrypted packets and have been running aircrack for a week with a fudge factor of 4.
Obviously having weak IV's would help. I have to come to the conclusion that crackng WEP isn't as easy as the aforementioned article claims it to be.
I will still play with this but unless anyone here has had success cracking 128 bit keys in a short time period, I am going to come to the conclusion that this information is bogus or there are other mitigating factors at best.
Alright, I have 100,000 encrypted packets and have been running aircrack for a week with a fudge factor of 4.
Obviously having weak IV's would help. I have to come to the conclusion that crackng WEP isn't as easy as the aforementioned article claims it to be.
I will still play with this but unless anyone here has had success cracking 128 bit keys in a short time period, I am going to come to the conclusion that this information is bogus or there are other mitigating factors at best.
I have also been testing this and not had a great deal of luck with cracking these, I have even used a spare server (not installed it yet cos I wanted a good spec to test things with) and left it cracking a fairly easy ascii wep key (6 chars 1-4 alpha 5-6 numeric) and I haven't had the result turn out yet and I have been running it for 6 days now. Maybe i'll have a result on Monday morning but if not i'm gonna have to terminate it and actually install this server :(
So has anyone else had any more positive results on cracking WEP?
I'm gonna look more into the radiius server now though.
I would also recommend looking at wireless as a "least privilege" network. Since we all know that if someone really wants to get in..they'll get in...just plan to be hacked and minimize damage by:
1) Setting up the wireless network as a DMZ...completely separate from desktops, servers, etc. - ISOLATION is key. If they get in..leave them nothing fun to do!
2) Restricting outgoing traffic...perhaps ALL traffic (which leads into the next point)
3) Use an HTTP proxy that requires authentication (for bonus points, have AV protection on the proxy so all content is scanned before being delivered to the browser).
Obviously, use all the suggestions mentioned by others to secure your wireless, but beyond that, use the suggestions above as guidance for minimizing your losses should an unauthorized and malicious user get in.
On my wireless networks, I assume they are 100% compromised (or compromisable) at all times and secure the networks as such.
Sign In
Register
Help
MultiQuote
