[ale] wireless sanity/security check

Pat Regan thehead at patshead.com
Mon Jan 4 16:12:55 EST 2010


On 01/04/2010 03:09 PM, Michael Trausch wrote:
> Not really... it is pretty easy to attach a wireless access point to a
> server that is running VPN software configured such that the VPN
> software is the *only* thing running on that network port.  By
> requiring everything to be then tunnelled through the VPN software
> before being allowed to cross into the LAN, you have achieved a
> strongly-encrypted system that is safe.

If I do this then all my possibly poorly configured wifi devices are 
vulnerable to attack if they have poorly configured services (like your 
friend's guest account).

>>  A weak passphrase is just as bad for a VPN (if you are only using
>>  passphrases) as it is for WPA.
>
> This is true to a degree.  However, with a VPN you can use
> certificates instead of passphrases.
>
> For that matter, one could simply require the use of IPsec, which (as
> I understand it) uses certificates as well.
>
> If one has devices that need to use the wireless network, but are not
> capable of either using a VPN or IPsec, then either those devices need
> to be upgraded in software or replaced with newer devices that do
> those things, or, if neither of those is a viable option, then a
> second wireless access point could easily be installed just for those
> devices that relies on a less strong method of protection and with
> restrictions so as to fulfill the needs of only those devices (that
> is, using some form of access control that whitelists instead of
> blacklists).

If my ancient wifi devices that only support WEP need to be upgraded to 
support a VPN why not just upgrade them to the point that they support 
WPA2? :)

> WPA2-PSK is definitely stronger, given that you can do things like use
> a whole sentence for a passphrase.  However, I'd rather trust
> certificates than a passphrase, since I have to physically give
> someone the certificate to be able to use the wireless network.  It is
> for that reason that I don't use passwords or passphrases when it
> comes to SSH, I use keys instead.

Fortunately, most of us are running wifi at home.  The effort and 
expense we put into security needs to be proportional to what we are 
trying to protect.

> Where did I claim of a deficiency in WPA2+AES?  I don't believe I did.
>   I think (if I'm reading correctly) what I said was "The only provable
> way to secure a wireless network [that] has sensitive information on
> it … is to use strong encryption and access control."  Now, strong
> encryption, WPA2+AES might support.  Strong access control, I'm not so
> sure about: give the passphrase to a guest, and they can give it to
> another.  Hand a certificate to a person and they are not likely to
> know how to give it to another (the bar is higher) and since
> certificates are unique for each person that you give them to, you can
> find out where the leakage originated.

You implied the deficiency by stating that a VPN is the "only" way to 
secure your wifi.  It is one very good way to do it, if done properly. 
Unfortunately, it is very easy to do improperly.  If your wifi is open 
that means any random passerby can connect attempt to attack any 
machines connected to the access point.  If one machine has a service 
open on the non-vpn interface and has a problem like the guest account 
you mentioned then your VPN just became worthless.

PSK is probably good enough for most people.  I can share my key with 
vistors.  Their machine could be attacked after they leave and someone 
could find my passphrase.  I imagine the odds are quite low that 
supposed thief know where that key can be used :)

It is pretty trivial to set up WPA2 enterprise.  You just need a radius 
server, which you could probably run on the same router with something 
like openwrt.  As far as I know WPA2 Enterprise is currently safe as well.

> Not very good for him, since he also was an employee of the ISP.

I would hope that would make it easier to get reactivated :)

> Anyway, had a VPN been required, that wouldn't have happened.

Unless the PC with the guest account was on the open wifi.  I would bet 
this is a gotcha that the average person setting up a VPN to replace WPA 
might miss.

It should be easier to convince someone to use a strong random 
passphrase with WPA2 (with TKIP disabled!) than it would be to get them 
to correctly configure a VPN solution.

> I suppose if the network card that was in the system supported WPA2,
> that would not have happened, either.  But it didn't, and VPNs don't
> require special hardware.

VPNs do require special hardware.  My Wii, PS3, and Roku all support 
WPA2-PSK (one or more support enterprise).  They do not and will not 
support VPN clients.

I don't know anything at all about wifi and Windows, but there can't be 
very many cards that fail to do WPA on Linux with wpa_supplicant.

> Interestingly enough, as I write this, I am sitting next to a piece of
> Linksys hardware that only supports WEP.  Yuck.

It must be very, very, very old.  :)

Pat



More information about the Ale mailing list