WiFi security that's better than WPA?

Discussion in 'other security issues & news' started by Genady Prishnikov, Mar 20, 2006.

Thread Status:
Not open for further replies.
  1. Genady Prishnikov

    Genady Prishnikov Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    350
    We dumped WEP when it proved simple to break. Then WPA and WPA2, which seems okay. For the home WiFi setup is there anything that would be stronger than WPA? Something of more industrial strength? Or, is WPA the best soloution?
     
  2. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    I don't see why you need anything stronger, WPA is currently unbreakable right now as long as you use a long random password (63 since it is the max length). The only way to break it is a brute force dictionary attack, but since you have randomletters, numbers, symbols, that is kind of impossible ;) . WPA2 uses an even stronger encryption method.

    If you really feel something more is necessary, then considering making a RADIUS server for authentication. It is a waste of time though IMHO since WPA2 is the latest and greatest security, and since WPA is un breakable. But if you have a lot of free time, why not check it out :p

    Just make sure to keep your SSID broadcasted and MAC filtering OFF since they do nothing for security and only hinder you connecting to your router. Any hacker who can hack WEP can find your SSID and clone a MAC in under 30 seconds, so it is a WORTHLESS security measure

    Alphalutra1
     
  3. securityx

    securityx Registered Member

    Joined:
    Dec 1, 2005
    Posts:
    149
  4. trickyricky

    trickyricky Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    475
    Location:
    London, UK
    If you're really concerned about security, you could always replace your WiFi link with a CAT-5 cable... seriously. If WPA doesn't confer enough security for you, then you must be a real target for the Pentagon, GCHQ and several other centres of decryption excellence. As it stands, it's pretty well unbreakable (as I type) so increasing your security further will give no real benefit.
     
  5. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    To be precise, I presume the OP is talking about WPA-PSK (or WPA2-PSK). As Alphalutra1 stated, the only currently known attack against WPA(-PSK) encryption is a dictionary attack, and a strong passphrase (of more than 20 characters) is defence enough against that.

    The weakness of WPA-PSK is the, er - Pre-Shared - nature of the key itself (the key used is generated automatically from the shared passphrase). Every station that attaches to the WLAN uses the same passphrase, so if that becomes compromised (e.g., a laptop is stolen) then anyone else can join the WLAN simply by using the same. It is for this reason that WPA-PSK is inadequate security for corporate use.

    WPA Enterprise (also known as WPA RADIUS, but often shortened to simply "WPA") addresses the weakness in WPA-PSK by using server-based authentication. Here, each user has his/her own key and/or certificate (together with a technique called key rotation), so that a single compromised key can be easily rescinded without the need to reconfigure all the other WLAN-permitted devices.

    RADIUS servers are financially out of reach of most home users, but there are web-based services like WiTopia's SecureMyWiFi - which is currently free for up to 5 users on a single router - which provide basic authentication (SecureMyWiFi uses individual passphrases, but does not use certificates).

    The bottom line, therefore, depends on your own assessment of how safe your WPA-PSK passphrase is, and the likelihood of you being attacked in any case (if you live in a rural setting, you are less likely to be targetted than if you live in a city centre). If you are satisfied that your passphrase will remain confidential, then there is little benefit to adding authentication.
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You might be interested in listening to this security podcast (also available via iTunes), apparently some problems have been found with WPA, although not YET WPA2.
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Another option is to set up a VPN which adds its own level of encryption (typically using strong algorithms like AES or Triple-DES) to secure traffic within your network. For general Internet access, an anonymising proxy like Tor (which adds multiple levels of AES, which are removed as traffic traverses the Tor network) would be a good choice (see Don't Fear Internet Anonymity Tools for a good discussion and more information on such systems), as would JAP if your main purpose was web browsing.
     
  8. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Yes, using a VPN gives the highest level of security on a WLAN, but it is important to understand what a VPN will and will not do, security wise. A VPN can be difficult and expensive to implement (although something like OpenVPN can reduce the costs involved), and needs very careful integration with other facilities. For instance, depending on what hardware (internet gateways/servers and hardware firewalls/routers/WAPs) and network topology you have, you will need to properly firewall the VPN server host, to allow ARP exchanges, etc., but block other non-VPN traffic. Often, you will also need to install a DNS server on the VPN server host, and to properly firewall client machines to prevent them from being attacked. Also, a VPN can cause problems if you have other non-computer devices on your network, such as network printers.

    Don't get me wrong - I'm not knocking VPNs. Quite the opposite, in fact, as they are a key technology for securing WLAN-based company networks. I just want to illustrate there are a number of factors that need to be considered when implementing a VPN, and the tasks involved often require expert assistance.

    Also, it is important to understand that with most domestic routers, you can't host the VPN server on the router, and the VPN will not therefore be able to secure the WiFi router itself against intrusion (that's where WPA(2) and authentication come in) but it will prevent access to internal traffic and facilities if the router is hacked.
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Spm,

    Very good points about possible issues with VPN. For a small network (with a few PCs talking to a single server) it may be easier to create encrypted connections using OpenSSH but this has downsides also.

    Wireless LAN security guide is an article worth reviewing, covering measures not listed here - though some are only practical for large organisations.
     
  10. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Yes, p2k, that is a useful article, but I find it a weakness that the author omits to consider remote PEAP-based RADIUS services like WiTopia's that are very cost effective for SOHO users.

    There is also a useful article here about using OpenVPN to secure a WiFi network, but it glosses over some of the other practical issues involved in blocking out non-VPN traffic.
     
  11. WiFidude

    WiFidude Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5
    As securityx and spm mentioned....

    WiTopia's (www.witopia.net) securemywifi service provides wpa/wpa2 enterprise security with a management portal included.

    Looks like they actually have a vpn service too (personalVPN) that encrypts out to an Internet gateway and provides anonymity features as well. I guess you could combine the two for best of both worlds?

    Alas, the securemywifi service doesn't appear to be free any longer :( but I did see a promo code from a blog called The wireless report. The code is, you guessed it, "thewirelessreport"

    code still works and gives a 15% discount
     
  12. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Still, the SecureMyWiFi service is very reasonably priced.

    Yes, personalVPN is based on (the excellent) OpenVPN, but it is still important to understand what it does and doesn't do. While a locally-hosted VPN can be used to secure all traffic on a WiFi LAN (with the reservations I alluded to above), personalVPN will secure just your web traffic. It can be considered, then, as an encrypting and anonymising proxy of sorts. While this may be a valuable facility for some (for instance, when using a WiFi hotspot), it does not secure your WiFi network.
     
  13. WiFidude

    WiFidude Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5
    spm,

    Interesting. I know personalVPN won't lock down your AP, but does encrypt one data stream from one computer over your wireless network out to witopia's Internet gateway. So..if you loaded personalVPN for every computer in your home or office, it would secure all your traffic right?..or no?

    Granted, this would be ineficient as all traffic would have to go back and forth through witopia's systems..securemywifi is the right service to secure all local wireless traffic
     
  14. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    First a disclaimer ... I haven't actually used personalVPN, so treat this as a supposition based on the way VPNs work...

    ... when you install personalVPN, you will (presumably) see a new virtual NIC on your system, and this will be assigned a public IP address by WiTopia's DHCP server when you start personalVPN. When connecting to personalVPN, your computer's routing table will be configured automatically to route internet traffic through your personalVPN NIC, rather than your local network.

    Now, it is possible that personalVPN could be configured so that your default gateway could be redirected through the VPN (OpenVPN has a facility for this), but this would, I believe, cause all sorts of problems for some networks, so I doubt that's what they do. In the absence of this, all traffic for 192.168.x.x (or whatever local subnet you are on) would still route through your local (real) wireless/ethernet NIC and therefore outside of (and unprotected by) personalVPN.
     
  15. WiFidude

    WiFidude Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5
    ah..okay. That makes sense...thanks for the info. Quite Interesting.
     
  16. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    I don't have any experience with personalVPN and I have only just skimmed the website, so I may be wrong... but I'm not sure the above statement is accurate. Rather I think these guy's are just reselling / packaging access to one of the standard enterprise SSL VPN devices on the market (e.g., Juniper Secure Access, Aventail, F5 FirePass, etc.). It's a common misconception that SSL VPN products only encrypt web transactions or applications / protocols that can be proxied via a web interface (e.g., SMB/CIFS file sharing, POP/SMTP email, etc.) However, most products in this class offer downloadable ActiveX or Java components and/or downloadable windows apps that can redirect / forward actual network-level IP packets for those applications that need direct network-level support. While it does involve some client software (ActiveX, Java, Windows app), there is usually little to no configuration involved and the whole process is much easier from an end-user standpoint, than traditional IPsec client configuration.

    Other than for dedicated, branch-to-branch encryption, IPsec proves to be a major hassle. Dealing with IPsec VPN client software on the wireless laptops and other endpoints is a pain-in-the-butt for users and admins. SSL VPN is definitely a much better choice -- if you can use it given a few caveats -- for mobile users, wireless users, etc. But, really, VPN technologies are all major overkill for anything outside corporate / enterprise networks. Just stick to WPA/WPA2 and let the wireless standards bodies work through their processes if they deem more security worthwhile (IMHO).
     
    Last edited: Mar 31, 2006
  17. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Alec,

    personalVPN is a service that uses OpenVPN. It doesn't say so on WiTopia's web site, sure, but it is well known. Here are a couple of references to support this:

    http://www.securitypipeline.com/shared/article/printableArticleSrc.jhtml?articleId=160900369
    http://www.tomsnetworking.com/print.php?sid=1027

    I don't wrongly assume SSL VPNs only encrypt web traffic (or protocols that can be proxied) at all. I know they can, and do. I have set up, and I manage, a number of OpenVPN implementations. It's just that I doubt whether remotely hosted services like personalVPN are configured to do so - I'll be happy to be proved wrong, though. I don't feel like investing the $40 or so to find out :), but I guess I could ask WiTopia.

    I entirely agree, though, that VPNs are overkill for home users (which is why I omitted to mention them in my original post to this topic).
     
  18. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Thanks for the clarification and, btw, I didn't mean any offense. I had taken your prior statement to imply that only web browsing and the HTTP protocol traffic would be encrypted. Rather, when you said "web traffic" were you really simply trying to delineate between LAN vs WAN traffic? Since personalVPN wouldn't seem to be of any help in securing wireless traffic localized on your LAN itself, unless I'm laboring under yet another misunderstanding. I must confess that I haven't worked with the OpenVPN code, and prior to reading more about it, had falsely assumed it was another variation on the open source IPSec clients like FreeSWan.

    Yet, I'm curious, from what I've read so far... the developers behind OpenVPN rightfully make a very big point in differentiating between a true SSL VPN that can tunnel all network traffic and an SSL Security Gateway which can tunnel only web-based traffic. From my little knowledge of the product, then, it would seem that OpenVPN is expressly designed as an essentially network-layer tunneling mechanism rather than an application layer mechanism. So shouldn't personalVPN also be configured by default to tunnel all protocols at the network-layer if it is based on OpenVPN? (I guess I'm just still a tad confused by your comments. Truely, I think VPN designers, developers, and standards-bodies are bound and determined to make VPN technology far too confusing and complex than it should be or needs to be. I'm getting confused just talking about it. ;) )
     
  19. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Not to worry - none was taken. :)

    That's correct. I was very loose in my terminology, and if I had properly checked what I had written at the time, I would have gone back and edited it. Indeed, I was attempting to differentiate between LAN and WAN traffic, as you say.

    Yes, the whole VPN arena is one of complexity, especially with the proliferation of the 'standards' that are in use ;). OpenVPN is a true SSL VPN, but it is a very configurable one. One of the configuration directives that an OpenSSL server can specify is "redirect-gateway". At the risk of adding too much detail, I have lifted this from the OpenVPN site:

    WiTopia do not use this directive, thus allowing local LAN traffic to/from the client to flow as normal. If they did use it, the client would essentially be isolated from the rest of the LAN. Not a good idea.
     
Loading...
Thread Status:
Not open for further replies.