by Lawrence Allhands
Securing a wireless network is serious business for any IT professional, but how secure do you need to be to truly protect your network from being attacked and ultimately compromised, and which techniques will best afford the desired results? WEP, WPA PSK, WPA Enterprise, WPA2 PSK, WPA2 Enterprise; with all of the wireless security standards and options available and conflicting advice of supposed wireless experts, it's no wonder confusion reigns supreme resulting in the perpetuation of urban legends. To develop a comprehensive wireless security plan, it is essential to know the facts, so we will first discuss the various wireless security options available.
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu
Wireless security options
· WEP (Wired Equivalent Privacy) - A deprecated wireless security protocol initially introduced in 1999 to secure 802.11 wireless networks. In 2001, many serious cryptological weaknesses were identified resulting in WEP being compromised within a matter of minutes.
· WPA (WiFI Protected Access) - A wireless security system developed in response to the weaknesses of WEP. WPA was designed to replace WEP while the full security standard (802.11i) was being developed in the form of WPA2. WPA implements the majority of the 802.11i standard and was specifically designed to work with first generation (pre-WPA standard) wireless network interface cards.
· WPA2 (802.11i - WiFI Protected Access) - A wireless security system utilizing the full mandatory elements of the IEEE 802.11i standard. WPA2 employs a new AES-based algorithm, CCMP, which is considered fully secure. WPA2 will not work with some older network cards.
· PSK (Pre Shared Key) - A "shared secret" which is shared between two parties using some secured channel prior to use. PSKs may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits and may be used in the following forms;
o Password - dog679leg
o Passphrase - Spiderman beat Batman in 1994
o Hexadecimal string - 4E102AB2511CEE541
· Enterprise (802.1x RADIUS authentication) - Enterprise is meant for use with an 802.1x authentication (RADIUS) server, which distributes different keys to each user after authenticating credentials. This is the most secure wireless networking technology in existence today.
Urban Legend: WEP can be cracked in a matter of minutes
Status: True
Details: Early in 2001, Ian Goldberg, a cryptologist at Montreal-based security and privacy software developer Zero-Knowledge Systems Inc., along with researchers at the University of California, Berkeley, uncovered flaws in the IEEE 802.11 standard allowing them to read WEP-protected traffic, inject traffic onto WEP-protected networks, and modify WEP-protected data. Essentially WEP is assumed to be cracked now.
Solution: Never use WEP! If for some reason you have to, add additional layers of security such as virtual private networks (VPN) or the IPSec security protocol, before allowing data to cross from a wireless network to a secure corporate system.
Urban Legend: WPA PSK & WPA2 PSK have also been cracked in a matter of minutes
Status: False
Details: In late 2004, many headlines stated that WPA had been cracked. In reality, the standard had never been cracked, but the WPA PSK implementation with a weak "shared secret" had been cracked. Here is how it works; a hacker uses a tool to scan the wireless airwaves for access points and wireless clients. When he finds a wireless client, he kicks him off the target access point by injecting DeAuth packets between them. Then the hacker watches as the client re-associates, completing the handshake with the access point. In doing so, he recovers the encrypted "shared secret" (The PSK). Now the hacker has captured the encrypted key file on his computer, but he must use a brute force dictionary attack to actually get a working PSK and gain access to network resources.
A dictionary attack varies from a brute force attack slightly. Where a brute force will simply try every combination of characters in a password, a dictionary attack will use a list of common words and pass phrases first to try and guess a password. The hacker will most likely try a dictionary attack first hoping for a quick break. If the password is randomly generated, he will be forced to use the brute force method.
The time it takes a brute force attack to guess a password is a function of the computing power (Number of attempts per second), and the length of the random password. For instance, if a hacker can test 100 words per second, and you used a single character random password consisting of a-z, A-Z, and 1-0 (72 characters) it would take approximately .72 seconds to crack it.
72^1 character combinations / 100 character combinations per second = .72 seconds
If we move form a single character to an eight character random password we get the following
72^8 character combinations / 100 character combinations per second = 7222041363087.36 seconds or approximately 319,849 years.
Once the hacker has successfully guessed your password, he will have the plain text PSK and will be able to freely access your network resources.
Solution: If you use WPA or PWA2 PSK, make sure you use a long random key. Most experts recommend a 20 character key for minimum security, but you may use a key up to 63 characters long for very high security. There are many random WPA key generators on line, use one to ensure a truly random key. Finally, rotate your keys annually, this will ensure your WPA PSK network is very secure.
Urban Legend: Using "wireless LAN best practices" such as SSID suppression, MAC address filtering. Static IP address schemes and RF signal suppression makes my network even more secure.
Status: False
Details: Many so called wireless experts would have you believe that using widely published "wireless LAN best practices" in conjunction with 802.11 wireless security measures will make your network even more secure by making it harder to detect or creating multi-layered security. These practices include;
· SSID suppression
· MAC address filtering
· Static IP address schemes
· RF signal suppression or shaping
The fact is that an experienced hacker using freely available hacking tools will automatically defeat these measures in a matter of seconds. In reality, there is no layered security and these measures only create a false sense of security and cost valuable IT resources.
In addition to this, SSID suppression can make your wireless network less secure because it forces your wireless clients to actively probe for the SSID, broadcasting continuously wherever you go. This can make you vulnerable to an evil twin attack or data seepage, which gives valuable information that can be used by a hacker in social engineering.
Solution: Don't waste time or resources on these "wireless LAN best practices", they will not help secure your network, and may even make your network less secure in the end.
In conclusion, a wireless network can be effectively secured using either WPA or WPA2 Enterprise or WPA or WPA2 PSK with a randomly generated key of 20%2B characters. Anyone who tells you anything else is just perpetuating a wireless urban legend.
Lawrence W. Allhands
Director of Customer Service
Apprion, Inc.
http://www.apprion.com
Securing a wireless network is serious business for any IT professional, but how secure do you need to be to truly protect your network from being attacked and ultimately compromised, and which techniques will best afford the desired results? WEP, WPA PSK, WPA Enterprise, WPA2 PSK, WPA2 Enterprise; with all of the wireless security standards and options available and conflicting advice of supposed wireless experts, it's no wonder confusion reigns supreme resulting in the perpetuation of urban legends. To develop a comprehensive wireless security plan, it is essential to know the facts, so we will first discuss the various wireless security options available.
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu
Wireless security options
· WEP (Wired Equivalent Privacy) - A deprecated wireless security protocol initially introduced in 1999 to secure 802.11 wireless networks. In 2001, many serious cryptological weaknesses were identified resulting in WEP being compromised within a matter of minutes.
· WPA (WiFI Protected Access) - A wireless security system developed in response to the weaknesses of WEP. WPA was designed to replace WEP while the full security standard (802.11i) was being developed in the form of WPA2. WPA implements the majority of the 802.11i standard and was specifically designed to work with first generation (pre-WPA standard) wireless network interface cards.
· WPA2 (802.11i - WiFI Protected Access) - A wireless security system utilizing the full mandatory elements of the IEEE 802.11i standard. WPA2 employs a new AES-based algorithm, CCMP, which is considered fully secure. WPA2 will not work with some older network cards.
· PSK (Pre Shared Key) - A "shared secret" which is shared between two parties using some secured channel prior to use. PSKs may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits and may be used in the following forms;
o Password - dog679leg
o Passphrase - Spiderman beat Batman in 1994
o Hexadecimal string - 4E102AB2511CEE541
· Enterprise (802.1x RADIUS authentication) - Enterprise is meant for use with an 802.1x authentication (RADIUS) server, which distributes different keys to each user after authenticating credentials. This is the most secure wireless networking technology in existence today.
Urban Legend: WEP can be cracked in a matter of minutes
Status: True
Details: Early in 2001, Ian Goldberg, a cryptologist at Montreal-based security and privacy software developer Zero-Knowledge Systems Inc., along with researchers at the University of California, Berkeley, uncovered flaws in the IEEE 802.11 standard allowing them to read WEP-protected traffic, inject traffic onto WEP-protected networks, and modify WEP-protected data. Essentially WEP is assumed to be cracked now.
Solution: Never use WEP! If for some reason you have to, add additional layers of security such as virtual private networks (VPN) or the IPSec security protocol, before allowing data to cross from a wireless network to a secure corporate system.
Urban Legend: WPA PSK & WPA2 PSK have also been cracked in a matter of minutes
Status: False
Details: In late 2004, many headlines stated that WPA had been cracked. In reality, the standard had never been cracked, but the WPA PSK implementation with a weak "shared secret" had been cracked. Here is how it works; a hacker uses a tool to scan the wireless airwaves for access points and wireless clients. When he finds a wireless client, he kicks him off the target access point by injecting DeAuth packets between them. Then the hacker watches as the client re-associates, completing the handshake with the access point. In doing so, he recovers the encrypted "shared secret" (The PSK). Now the hacker has captured the encrypted key file on his computer, but he must use a brute force dictionary attack to actually get a working PSK and gain access to network resources.
A dictionary attack varies from a brute force attack slightly. Where a brute force will simply try every combination of characters in a password, a dictionary attack will use a list of common words and pass phrases first to try and guess a password. The hacker will most likely try a dictionary attack first hoping for a quick break. If the password is randomly generated, he will be forced to use the brute force method.
The time it takes a brute force attack to guess a password is a function of the computing power (Number of attempts per second), and the length of the random password. For instance, if a hacker can test 100 words per second, and you used a single character random password consisting of a-z, A-Z, and 1-0 (72 characters) it would take approximately .72 seconds to crack it.
72^1 character combinations / 100 character combinations per second = .72 seconds
If we move form a single character to an eight character random password we get the following
72^8 character combinations / 100 character combinations per second = 7222041363087.36 seconds or approximately 319,849 years.
Once the hacker has successfully guessed your password, he will have the plain text PSK and will be able to freely access your network resources.
Solution: If you use WPA or PWA2 PSK, make sure you use a long random key. Most experts recommend a 20 character key for minimum security, but you may use a key up to 63 characters long for very high security. There are many random WPA key generators on line, use one to ensure a truly random key. Finally, rotate your keys annually, this will ensure your WPA PSK network is very secure.
Urban Legend: Using "wireless LAN best practices" such as SSID suppression, MAC address filtering. Static IP address schemes and RF signal suppression makes my network even more secure.
Status: False
Details: Many so called wireless experts would have you believe that using widely published "wireless LAN best practices" in conjunction with 802.11 wireless security measures will make your network even more secure by making it harder to detect or creating multi-layered security. These practices include;
· SSID suppression
· MAC address filtering
· Static IP address schemes
· RF signal suppression or shaping
The fact is that an experienced hacker using freely available hacking tools will automatically defeat these measures in a matter of seconds. In reality, there is no layered security and these measures only create a false sense of security and cost valuable IT resources.
In addition to this, SSID suppression can make your wireless network less secure because it forces your wireless clients to actively probe for the SSID, broadcasting continuously wherever you go. This can make you vulnerable to an evil twin attack or data seepage, which gives valuable information that can be used by a hacker in social engineering.
Solution: Don't waste time or resources on these "wireless LAN best practices", they will not help secure your network, and may even make your network less secure in the end.
In conclusion, a wireless network can be effectively secured using either WPA or WPA2 Enterprise or WPA or WPA2 PSK with a randomly generated key of 20%2B characters. Anyone who tells you anything else is just perpetuating a wireless urban legend.
Lawrence W. Allhands
Director of Customer Service
Apprion, Inc.
http://www.apprion.com
No comments:
Post a Comment