WiFi Security

[Brother Mike]

Hi Guys!

Opinion wanted: I am going to add a wireless Access Point to our office. If I use the MAC address filter to grant access to ONLY those MAC addresses how secure am I? Do I still need WEP or WPA?

[fastblackmerc]

I use WEP w/ 128-bit encryption, don't broadcast the SSID and use the MAC address filtering. I think that's about as secure as you can get. What is youre company's official policy?

[jawz101]

how large is the organization? what do you all do?
depends on how large, what you can afford, & what data you are securing before I'd make a recommendation

[B.C. Bake]

WPA-PSK With at least 20 character incription, I go to all the hacker conventions to see what out there. WEP is hackable....wpa-psk to my knowledge not hackable. Thats my

[duhtroll]

+1 .

Quote:

Originally Posted by B.C. Bake

WPA-PSK With at least 20 character incription, I. go to all the hacker conventions to see what out there. WEP is hackable....wpa-psk to my knowledge not hackable. Thats my

[gja]

Well, seeing as I actually am the manager of security and identity mgmt for my company, I will give you an educated opinion that is the result of in-depth research.

802.11i: like trying to clean out Fort Knox at high noon. 802.11i is the latest and greatest encryption standard. Ratified in mid-2004, it combines the Advanced Encryption System (AES) and TKIP to offer an almost unbreakable algorithm. Penetrating it is about as easy as driving away with all the gold in Fort Knox in broad daylight. Not available in most home router/WAPs.

Wired Equivalent Privacy (WEP): like taking candy from a baby. WEP is an encryption methodology used in most access points (802.11a and 802.11b). It's considered flawed and easily hackable. Breaking into a WEP network is dead simple. I own you files before you know my hand is even up your skirt.

Wi-Fi Protected Access (WPA) was created by the Wi-Fi Alliance in 2002 – in part out of impatience with the slow-moving 802.11i standard. The industry consortium’s consensus was that an alternative to WEP was needed quickly, and WPA was the result. To avoid multiple “standards” and conflicts later on, WPA was designed from the get-go to be compatible with 802.11i and was based on its early draft specifications. This sets WPA apart from a number of proprietary Wireless LAN security solutions that were developed by Proxim, Funk and other vendors.

WPA provides several security advantages. First, it uses a stronger key management scheme, by implementing the Temporal Key Integrity Protocol (TKIP). TKIP creates encryption values that are mathematically derived from a master key, and changes these encryption keys and IV values automatically (and transparently to the user) so to prevent key stream reuse. This is important because WEP keys have to be changed manually, and this can be an administrative hassle, leading to administrators not changing the keys often enough (or not at all). TKIP also uses a Message Integrity Code called Michael that uses a 64 bit key. The integrity checker is designed to block forged messages.

There are two methods for generating the master key, and WPA operates in two different modes, depending on whether pre-shared keys are used or a central authentication server is available. For home users, WPA offers easy setup (one big problem with WEP was that many users found it too difficult or confusing to set up and manage, so they didn’t). Authentication is based on the Extensible Authentication Protocol (EAP) and can use pre-shared keys that make it simple to configure on the WAP and clients in small network settings: you manually enter a password, and then TKIP does its thing, automatically changing the keys periodically. This is called PSK (for PreShared Key) mode.

Tip:
It is recommended that when using PSK mode, you should set a password with at least 20 characters.

At the large network level, operating in Enterprise mode, WPA supports RADIUS so that users can be authenticated through a centralized server. WPA 802.1x authentication methods include EAP-TLS, EAP-TTLS, EAP-LEAP, EAP-PEAP and other implementations of EAP.

WPA uses the same encryption algorithm for encrypting data that WEP uses: the RC-4 cipher stream algorithm. However, TKIP uses a 48 bit initialization vector, as opposed to the weaker 24 bit IV used by WEP.



WPA2:Wi-Fi Protected Access 2) provides network administrators with a high level of assurance that only authorized users can access the network. Based on the ratified IEEE 802.11i standard, WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant (AES)Advanced Encryption Standard encryption algorithm. WPA2 can be enabled in two versions - WPA2 - Personal and WPA2 - Enterprise. WPA2 - Personal protects unauthorized network access by utilizing a set-up password. WPA2 - Enterprise verifies network users through a server. WPA2 is backward compatible with WPA.


You said this is for the workplace, so your choice should be driven by what this exposure means to your workplace. The higher the risk, the more secure your wireless will need to be to mitigate the inherent insecurity posed by a wireless facet of your network.

Thus endeth todays lesson, go forth and be safe!

[silver_2000]

To answer the original question.
Yes you need security - the type depends on how you implement the wifi

Are you connecting the Wifi directly to the internal network ?

Its safer to just provide relatively easy to configure, connect to and maintain Internet access. If you have any turnover at all managing mac addresses is a HUGE pain. Unsuitable for more than 3 or 4 client pcs

The easiest and safest way is to implement decent wireless security, like wpa or wpa2 ( just to keep ner do wells off your internet connection ). That connection only gets to the internet - THEN require strong VPN to connect to internal resources. Thats the method many large companies use since the employees all aready have VPN setup for off campus connections.

People expect to be able to connect to wireless without jumping thru too many hoops.

Doug

[Brother Mike]

Silver,

Our office has 6 people and will only have two laptops. My plan was to restrict the access to the wifi signal to only those two laptops via MAC address. I do NOT have any people coming in with laptops. Small office building.

[jawz101]

B Mike, you've got the right idea.
That's practical enough for what you've got.

[silver_2000]

Quote:

Originally Posted by Brother Mike

Silver,

Our office has 6 people and will only have two laptops. My plan was to restrict the access to the wifi signal to only those two laptops via MAC address. I do NOT have any people coming in with laptops. Small office building.

I would still use WPA

Its pretty easy to grab the mac and spoof it

BUt then you have to wonder what information are you protecting and how much effort is someone going to expend to get it ?

[BruteForce]

I get a little chuckle each time I see WiFi and security in the same sentence.

[ckadiddle]

Quote:

Originally Posted by BruteForce

I get a little chuckle each time I see WiFi and security in the same sentence.

Yup. Me too.

Another phrase that makes me laugh is "Internet Security".

[mtenderenda]

I would still use WEP......Here's why...

Wired Equivalent Privacy (WEP) encryption and shared authentication helps provide protection for your data on the network. WEP uses an encryption key to encrypt data before transmitting it. Only computers using the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. Authentication provides an additional validation process from the adapter to the access point. The WEP encryption algorithm is vulnerable to passive and active network attacks. <?XML:NAMESPACE PREFIX = O /><O></O>TKIP and CKIP algorithms include enhancements to the WEP protocol that mitigate existing network attacks and address its shortcomings

[silver_2000]

Quote:

Originally Posted by mtenderenda

I would still use WEP......Here's why...

Wired Equivalent Privacy (WEP) encryption and shared authentication helps provide protection for your data on the network. WEP uses an encryption key to encrypt data before transmitting it. Only computers using the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. Authentication provides an additional validation process from the adapter to the access point. The WEP encryption algorithm is vulnerable to passive and active network attacks. <o>></o>>TKIP and CKIP algorithms include enhancements to the WEP protocol that mitigate existing network attacks and address its shortcomings

Standard Wep doesnt include tkip or ckip - ckip is ONLY available with cisco equipment on both ends. Tkip is what makes wpa secure

Quote:

Cisco Key Integrity Protocol (CKIP) is Cisco proprietary security protocol for encryption in 802.11 media.

the same article you snipped also says

Quote:

If your Wireless Access Point or Router supports WPA/WPA2 Personal (WPA-PSK) then you should enable it on the access point and provide a long, strong password. The same password entered into access point needs to be used on this computer and all other wireless devices that access the wireless network.

And goes on to say that Tkip is what makes WPA more secure ....

Quote:

WPA/WPA2

Wi-Fi Protected Access (WPA/WPA2) is a security enhancement that strongly increases the level of data protection and access control to a wireless network. WPA enforces 802.1x authentication and key-exchange and only works with dynamic encryption keys. To strengthen data encryption, WPA utilizes its Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements that include a per-packet key mixing function, a message integrity check (MIC) named Michael an extended initialization vector (IV) with sequencing rules, and a also re-keying mechanism. Using these improvement enhancements, TKIP protects against WEP's known weaknesses.

so using wep by itself is a mistake



BUT if you want your computer to be VERY secure unpug it and remove the keyboard