Slashdot Mirror

← Back to Stories (view on slashdot.org)

State of Secure Wireless Networking?

Posted by Cliff on from the protecting-your-airborne-packets dept.

Mr. Sketch asks: "At my office, they want me to add a wireless network and it seems like it could be possible to do it in a secure way, but I'm not 100% confident. The setup I was thinking of was 802.11g only (no backward 802.11b compatibility), WPA-PSK with AES encryption with a 15 character password consisting of upper and lower case letters and numbers and special characters, MAC filtering, no ssid broadcast, and no default anything (ssid, passwords, etc). How secure would this network be? What type of attacks would it be vulnerable to? I haven't found any tools to crack AES, only WEP, does that mean it's secure or I just that I haven't looked hard enough? I want the wireless computers to still be able to access the computers on our network, in fact ideally, I just want it to be a wireless extension of our wired network, but only if it's secure enough. I'm sure there are plenty of other companies who want to add wireless to their network, but want to be reasonably confident that it will be secure and are unsure of the current state of wireless security."

5 of 45 comments (clear)

  1. Why not use a VPN by Masarand · · Score: 2, Insightful
    Don't rely on the 802.11x security features, just put a Contivity VPN box between your wireless infrastructure and your LAN.

    This gives you bomb-proof security using proven technology, avoids key distribution problems and allows you to upgrade the wireless infrastructure with less effort.

    http://www.nortelnetworks.com/products/01/contivit y/

  2. Re:The same as it was last week... by T-Ranger · · Score: 2, Insightful
    I would tend to agree 100%. The whole slew of wireless technologies are changing too fast to choose WiFi specific solutions.

    Even if you go with a commercial VPN solution, with dedicated/specialized hardware, you would still have vendor independence with the APs... Since you could run multiple VPNs you have a nice upgrade path too. If you rely on the APs, then to upgrade you at best would have to flash every AP you have, or if thats not possible, replace all of them.

    My theory is to use the stupidest possible AP, in the stupidest possible mode (just a bridge) and do everything else with a real computer.

  3. Re:What about ad hoc problems? by petard · · Score: 2, Insightful

    Sure. And someone can add a second ethernet card to their machine, plug in a wireless access point, start a dhcp server and nat, and give the whole world wide open wireless access to your wired network. Or they could install a wireless card and run hostap wide open. Or use nocatauth and charge others for access to your network.

    If you don't have control over every (wired or wireless) computer connected to your network, outsiders could be able to connect to it. This problem is not restricted to the wireless domain. Run your network services accrodingly.

    --
    .sig: file not found
  4. As much as any other... by poofmeisterp · · Score: 2, Insightful

    It's only as secure as any new encryption method that comes out. WEP was thought to be secure until it was proven not to be. Now, WPA is said to be secure. It may or may not be. You won't know until you're either hacked or someone else is.

    Be warned: Turning off SSID broadcasting, enabling MAC filters, or even lowering your AP power levels can result in unexpected behavior.

    For instance, my Dlink access point/router has a firmware update that features WPA, but it doesn't work with my Gigabyte w/l card. A few small packets can get through, but large packets are right out of the question. Sometimes there will be windows of a few seconds where I can get traffic through, but they go away in 5 seconds or less.

    I switched back to WEP and everything was peachy. I then turned off SSID broadcasting. My w/l cards (all of them) would no longer recognize my active network because they couldn't "see" it. There isn't a way to hard-code or static-set the SSID name, channel, etc into my cards. You'll need to find one with hardware or software that supports connecting to networks that don't have a visible SSID. Basically, one that remembers what channel it was last on.

    It's frustrating. Also, if you're paranoid about security, run your traffic through a VPN. It's a pain in the butt to set up, but it should work. Get ready for lots of support calls, too. Calls like "It was working, but I rebooted my machine and now it can't see the network", "the network is slow", "Why does it say the signal quality is low a lot of the time and I'm using the network just fine?"

    You'll hear lots of that :)

  5. Re:The same as it was last week... by AKnightCowboy · · Score: 2, Insightful
    While AES is better then the RC4 algorithm used in WEP, it dosen't mean that a product using AES will be more secure. RC4 is not the problem with WEP. The poor implementation of RC4 is the problem. Specially WEP allows known weak keys.

    My main problem with WEP is it's silly to use outside of a group of about 10 people. After that you really need to use rotating keys that are different for each person, otherwise when some employee leaves your company then everyone's changing their WEP key. It just doesn't scale. It's fine for home use where you really don't care if your neighbor breaks into your porn stash (hell, I'd share my access if they had computers, but they don't). Cisco's LEAP protocol was a good step in the right direction, but alas, it was too immature and not battle tested and now has problems. We'll see how the other competing standards stack up.