What wireless protocol to use with router ?

Discussion in 'other firewalls' started by accessgranted, Mar 10, 2010.

Thread Status:
Not open for further replies.
  1. accessgranted

    accessgranted Registered Member

    Joined:
    Mar 10, 2010
    Posts:
    181
    Hi

    When trying to set up my wireless LAN connection, I see that the router options are:

    WPA2
    WPA2-PSK
    Mixed WPA2/WPA
    Mixed WPA2/WPA-PSK

    What's the best option to use security wise and why? Any downside to any of these options?

    Thanks.
     
  2. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    What router do you have? Usually when WPA2 is compared to WPA2-PSK (Pre-Shared Key) the former is used with a RADIUS server, but support for RADIUS isn't usually found on home gear.

    WPA2 (CCMP/AES) is more secure than WPA (TKIP), so mixed mode would be less secure than pure WPA2 (assuming of course that all your clients support WPA2).
     
  3. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    I use WPA2-PSK with a 18 digit key consisting of random numbers and letters both upper and lower case. I used a random key generator, wrote the key down on a paper, and put it in the router box after I configured it the first time. Have fun cracking that along with spoofing the MAC address of white listed NICs.
     
  4. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    I use WPA2-PSK. My opinion is that the best choice you can do is to get a router with a button for switching on/off the wireless network. Wireless does not have to be on all the times, for security and energy saving. Also check the routers that give the possibility for more than one wireless network...like a wireless for your guests and your own. Also use a key with lower, upper case and special symbols.
     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    If you have the option the most secure is WPA2-AES with a random alphanumeric password of at least 20 characters :)
     
  6. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    463
    Location:
    UK
    WPA2 if your other devices support it.
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Here is an easy randomiser

    Step 1: something you remember easily, but few know/not public knowledge.
    Take the location of the pub/hotel/restaurant where you celibrated your marriage or location (restaurant, the name of a theater or the title of the movie/play you watched) you first had a date with your partner etc. Anything which can't be related to existing address, public data available, or names of pets/family members/transportation you own.

    Step2 making it fit the key length
    Add street or date to fill it up to longest charachter set your encrypion allows, or likewise truncate from the right).
    e.g. white chapel rock cafe are 18 characters whitechapelrockcafe

    Step3 Hashing your mnemonic literal into a base key
    Next take your cellphone and press the touch keys representing numbers or letters. This is your base key
    whitechapelrockcafe becomes 9448324273576252233

    Step 4 Priming your hashed key
    Devide the above through 11. Now you are one digit short when you use the numbers until the decimal
    858938570325113839.36363636363636 skip the numbers behind the decimal then you will get 858938570325113839 multiply this by 11 now you get 9448324273576252229 subtract this from the base key 9448324273576252233 gives 4, subtract this remainder from 11 and you will get 7, use this digit. So the final key is 94483242735762522297

    You can also devide it by 13 using the above method (subtracting the correction from 13)

    Cheers Kees.
     
    Last edited: Mar 15, 2010
  8. cruxx

    cruxx Registered Member

    Joined:
    Apr 12, 2009
    Posts:
    29
    Location:
    Paradise Lost
  9. wat0114

    wat0114 Guest

    Anything more than 12-15 characters for a home computer is overkill to the extreme. I mean, you aren't protecting a CIA mainframe, so what's the point. No one's going to be stupid enough to sit outside your home for weeks trying to crack your budget plastic box router just to get into your home pc. There's far bigger fish in the sea to challenge, after all. Even if they want to crack into a home pc, there's more than enough people ignorant enough running their wireless setups without any pass phrase at all, so why would they waste their time on even a moderately secured setup?
     
  10. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    For a challenge. Theres plenty of script kiddies out there looking for the next challenge.
     
  11. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    whats the difference between wpa2 and wpa2 psk? on my router i use wpa2 only/AES only with a pre shared key aka password
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    My security rules of thumb based on the principle there is no software compensation for user stupidity

    Rule one: balance between paronoid and sanity
    When being hunted by a lion, you do not need to out run the lion, you need to out run one of the others in the herd.

    Rule two: reducing the attack surface is far more effective than increasing the defense
    That is why I am a promotor of policy based restrictions (OS freebies like UAC, SRP or ACL) or defense (e.g. DefenseWall V3, Online Armor's ability to run unknown programs as SAFER, Comodo's V4 Sandboxing of unkown programs) or alternatives (prefer Chromium with its sandbox over other browsers, prefere IE8's protected mode over FireFox its medium level integrity, etc.)

    Rule three: contingency ensures continuity
    Have a backup plan (in my case an image and data backup on a off line external harddrive)

    Rule four: set and forget prevails over think and decide
    So a strong encryption key on WPA2-PSK AES is a one time job, same applies to defense mechanismes which get around the problem like Keyscrambler does for instance with keylogger threats.

    Rule Five: staying out of risky places is a also a defense mechanism
    Meaning I do not waist CPU with IP blocklists, use the server capacity of the DNS service you use (Open DNS), preferably configured in your router. When using Wot or Linkscanner or Smartscreen in combination with Google search, you effectively have three blacklisting mechansmes: Open DNS, Google and Wot/Linkscanner/Smartscreen. This will reduce risk chance with at least 70% is my guestimate. Same applies with Trusteer Rapport, you browser checks certificates and Trusteer Rapport is able to check certificate and IP addres as well.



    Regards Kees
     
    Last edited: Mar 16, 2010
  13. wat0114

    wat0114 Guest

    Awesome quote, love it :thumb: :)

    Yes, but strong (especially when we're talking about a home router) can be a 10-15 character key as long as, of course, it follows the rules of creating a strong password. I'm just trying to differentiate between technically possible and realistically "no-chance-of-happening" scenario. Case in point: where I live I can pick up 5-7 wireless at any given time. 4 of them are using wpa/wpa2, two are wep, and the other is no security at all. If I was interested and criminally inclined to do so, I would certainly not waste my valuable time on the secured setups ;)
     
    Last edited by a moderator: Mar 16, 2010
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Agree, but the sample was from someone using a 18 character key.
     
  15. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    Yup thats me.:p
     
  16. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    "PSK" is "pre-shared key". The other option is to use a RADIUS server. It's more secure but you need to have a computer on the network you can devote to acting as a full time RADIUS authentication server.

    As for general key length strength you might want to check this:
    http://blogs.zdnet.com/Ou/?p=127

    Then divide by 100:
    http://securityandthe.net/2008/10/12/russian-researchers-achieve-100-fold-increase-in-wpa2-cracking-speed/

    That is for brute-forcing the passphrase. Of course if you use a common word for the key a dictionary attack is much, much faster.
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thanks, nice to know, even with PC power doubling every year to one and half year, it is safe to use a 8 key pass phrase as long there are others around

    Typical in a densily populated area still one with no protection, simular to Wat0114, only no WEP around anymore, due to move to glassfibre connections and new modems installed (half year ago, WEP dominated).

    Downside of so many wireless devices in the neighbourhood: you have to move to 300N and use small business class Routers to get a trouble free connection.
     

    Attached Files:

    Last edited: Mar 17, 2010
  18. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Or the oft-forgotten 802.11a
     
  19. Matthijs5nl

    Matthijs5nl Guest

    Kees I've got an question for you, since you are a promotor of using the options integrated in the OS.

    What is your opinion about DEP? I have chosen to use it on all programs and services. But is it actually any effective against malware?
     
  20. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Why use wireless? Try out powerline ethernet.
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have worked in an office which was an old residence. It had ethernet cable trough powercable long before it was a consumer product. It worked well (and kept the design integrity of that majestic workplace intact).

    Only reason for keeping wireless were the work laptops of my wife and me.
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well that is disputable, unless you set it through config editor.

    Dep. ASDL SEHOP, is claimed to be broken on x86 (sorry wilders it is in Dutch) http://www.security.nl/artikel/32585/1/Nederlander_kraakt_Windows_DEP-beveiliging.html

    Still combo of UAC, protected mode, etc raises the bar substantially

    I personally have not met a malware or PoC being able to break the combo Chrome - Trusteer Rapport - ACL - LUA - DEP on an old XP Pro box. There will be stories of some sample breaking an element of this, I consider them as the normal risks of life (I am planning my next holiday, I will certainly intending to fly to Vietnam, although walking might be safer).
     
  23. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    The WPA2-PSK part sounds good, but I gave up on the MAC address filter list. As the MAC address is passed in plain text and easily spoofed it really wasn't worth the effort to maintain. If you have a fixed set of machines it can't hurt though. With different devices showing up here on a daily basis it just took up too much time.
     
  24. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Just a few thoughts.

    There is a product called WEP/WPA Random key Generator.

    http://www.soroban.co.uk/wepkeygen.htm

    I used it for my key to avoid using the generator that came with the router set up software. I wanted an independently generated code. Maximize it load it, save it you don't need to memorize it ever.

    The router for WPA2-PSK also had a H/w FW in it among other settings for things like frequency of changing the code. Alter it to non default setting.

    You do not have to broadcast your SSID. But if you do make it a random code as well.

    Guy next door uses Peter for his SSID and his psw! :eek:
     
  25. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    for router

    step 1 WPA2-PSK AES preferred or at least WPA2-PSK



    how to make it simple and strong way learn one poem simple poem or atleast 1st 2 paragraph of it trust me lot of grown up never ever remember that

    Twinkle, twinkle, little star,
    How I wonder what you are!

    When the blazing sun is gone,
    When he nothing shines upon,
    Then you show your little light,
    Twinkle, twinkle, all the night.

    now make any combo like 1st and 4th then from *( 8 )start coming back then = or any sign then put cell number of some one you remember

    TtlS*HiwW&YawT^BsiG%=9912345678 trust me to break that kinda its take a week and after that you get zero results

    or

    if that too hard for you then

    let say

    for example

    i love maria sharapova very much i love to take her on date to Venice :D

    again this time cell number then 1, 4 or 2,4 rule or any what you like then start from %(5) go backward or forward up to you i try here to make it simple and hard to crack

    9912345678@iLmS%vMiL$tThO#dTv?


    cell no then i put @ instead of = at end no place of 4th latter so i put ?

    these are pretty easy to remember if you do 10-15 times you get the singing rhythm :D

    step 2 i put access list of by mac address

    step 3 i encrypt my hard-disk entirely even i got hacked the last thing which make you safe is encryption of your data thats what create the most pain in @$$ of any one try to be Mr smart

    i remember my passwords like that hope it help other as well
     
    Last edited: Mar 27, 2010
Loading...
Thread Status:
Not open for further replies.