[ale] wireless sanity/security check

Michael Trausch mike at trausch.us
Mon Jan 4 15:09:03 EST 2010


On Mon, Jan 4, 2010 at 3:07 AM, Pat Regan <thehead at patshead.com> wrote:
> On 01/04/2010 01:03 AM, Michael Trausch wrote:
>> The thing is that WPA2 not only relies on not-ancient hardware, but
>> also compliant hardware.  WPA2-PSK support is fairly common, and
>> most people will find that as being their weakness due to generally
>> weak passwords.
>
> This applies equally to a VPN :).  There aren't very many wifi
> appliances that support any sort of a VPN.  Most anything that supports
> 802.11g will support WPA and more than likely WPA2.

Not really... it is pretty easy to attach a wireless access point to a
server that is running VPN software configured such that the VPN
software is the *only* thing running on that network port.  By
requiring everything to be then tunnelled through the VPN software
before being allowed to cross into the LAN, you have achieved a
strongly-encrypted system that is safe.

> A weak passphrase is just as bad for a VPN (if you are only using
> passphrases) as it is for WPA.

This is true to a degree.  However, with a VPN you can use
certificates instead of passphrases.

For that matter, one could simply require the use of IPsec, which (as
I understand it) uses certificates as well.

If one has devices that need to use the wireless network, but are not
capable of either using a VPN or IPsec, then either those devices need
to be upgraded in software or replaced with newer devices that do
those things, or, if neither of those is a viable option, then a
second wireless access point could easily be installed just for those
devices that relies on a less strong method of protection and with
restrictions so as to fulfill the needs of only those devices (that
is, using some form of access control that whitelists instead of
blacklists).

>> Most people still run WEP, and do not change their network SSID from
>> its default.
>
> They're lucky if they run WEP.  Verizon's wifi DSL routers seem to use
> 64 bit WEP.  The default key is your phone number...

WEP can be cracked in 10 minutes or less with nothing more than a
couple of tools and a shell script, so I would hardly call that lucky.

WPA2-PSK is definitely stronger, given that you can do things like use
a whole sentence for a passphrase.  However, I'd rather trust
certificates than a passphrase, since I have to physically give
someone the certificate to be able to use the wireless network.  It is
for that reason that I don't use passwords or passphrases when it
comes to SSH, I use keys instead.

>> The only provable way to secure a wireless network thay has sensitive
>> information on it (in the sense that you would not want someone
>> stealing the data on your network because you could be sued or
>> whatever) is to use strong encryption and access control.  A VPN
>> provides both, depending on what type of VPN is being used.  And it
>> will work with very old WiFi hardware, too, which is a plus for many
>> people I know.
>
> If you know of an actual deficiency in WPA2+AES with a proper passphrase
> I would love to hear what it is.  If you don't have one, I won't believe
> that you have "the only provable way" to secure a wifi network :).

Where did I claim of a deficiency in WPA2+AES?  I don't believe I did.
 I think (if I'm reading correctly) what I said was "The only provable
way to secure a wireless network [that] has sensitive information on
it … is to use strong encryption and access control."  Now, strong
encryption, WPA2+AES might support.  Strong access control, I'm not so
sure about: give the passphrase to a guest, and they can give it to
another.  Hand a certificate to a person and they are not likely to
know how to give it to another (the bar is higher) and since
certificates are unique for each person that you give them to, you can
find out where the leakage originated.

>> It does require more setup... but for many reasons it is worth it if
>> your wireless network is for more than just guest use.  And you
>> won't get your Internet shut off because they were able to come in as
>> a guest and send out all sorts of things your ISP doesn't like.
>
> I know a lot of people with wide open wifi.  I've yet to see one get
> shut off :)

A friend of mine in Toledo, OH was running a wireless network that was
"secured" with MAC address control and WPA (not WPA2).  That network
was cracked, and one of the systems on that LAN (running Ubuntu) had
an account named "guest", with no password.  The account was there for
people that came over and wanted to use the system, so that there was
no need to let people use one of the existing accounts.  (Also note
that this was before guest functionality was released in
Ubuntu/GDM/GNOME such that an account could be dynamically created and
destroyed whenever you wanted a "guest session".)  Anyway, the ISP
shut off the account a few days later, because the system was
attacking other systems and attempting to infect them with some sort
of ick, doing port scans to look for easy targets and such on lots of
networks.  I presume that someone complained and that's how the ISP
discovered it.

Not very good for him, since he also was an employee of the ISP.

Anyway, had a VPN been required, that wouldn't have happened.

I suppose if the network card that was in the system supported WPA2,
that would not have happened, either.  But it didn't, and VPNs don't
require special hardware.

Interestingly enough, as I write this, I am sitting next to a piece of
Linksys hardware that only supports WEP.  Yuck.

   --- Mike



More information about the Ale mailing list