WiFi Security

**Supp** · 10-28-2003, 06:20 PM

Hi,
I need to set up WiFi network with both Linux and Windows clients.
I need secure transfer of data in both cases - as we all know, WEP is some kind of joke and not usable in terms of "real security" - it can be cracked within days.

So, my question is: how to secure network (both cable and wireless) where are both Win and Lin clients present???

Any help/links would be appreciated

.

**magnav0x** · 10-28-2003, 06:42 PM

For one, be sure to only allow connections to the wirless network via MAC address and set a client limit to only the amount of wireless clients you plan to have connected at any given time. True, WEP is very insecure, but you don't have much to worry about unless you are generating HIGH amounts of wirless traffic. Take this into account. 40 bit WEP generally takes over a week of continuous scanning to crack the key, In order to crack 128 bit WEP, will take several weeks (that is scanning 24/7). When cracking WEP, the scanner is looking for "intersting packets". Let me tell you this...not as many packets are as "intersting" to the scanner as you would think. We're talking about oh....say 5-10 million encrypted packets minimum to crack a 64 bit WEP encryption. To be very safe, the easiest and most effective way, without having to go with IPSec or other security networking protocols is to change you WEP at least once a month, though I would suggest once a week.

Currently an extention to the 801.1x protocol is being implimented that will replace the WEP encryption, but for now a lot of manufacturers are starting to to release WPA with their products, which is a temporary fix until the new protocol is finished. WPA uses TKIP, where rekeying of global encryption keys is required. The encryption key is changed after every frame using Temporary Key Integrity Protocol (TKIP).

If you are interested in more WiFi security info let me know and I'll spill my beans some more.

**Chinasaur** · 10-28-2003, 08:12 PM

Some good data here for your persual -

http://www.linuxexposed.com/modules....&mode=&order=0

**Supp** · 10-29-2003, 08:56 AM

Thank you both,
problem is that I'm visiting that site once/month at most and network traffic IS huge...

So, I'll probably have to use some kind of security protocols you mentioned - but it has to work on both Linux and Windows...any suggestion?

**magnav0x** · 10-29-2003, 10:45 AM

Supp, I would definatly recommend looking into the IPSec protocol. It will work with linux and windows.

**Supp** · 10-29-2003, 11:40 AM

Will look at it, thanks.

Has anybody seen any good tutorial about IPSec (Goooooogle is full of trash...)?

**Supp** · 10-29-2003, 02:35 PM

OK, found this link , quite IPSec for dummies...

**magnav0x** · 11-17-2003, 06:15 PM

Supp, did you ever get around to finishing your wifi security project? Just curious how you faired. BTW, thanks for the IPSec link, it's a very nice one

**pointwood** · 11-18-2003, 03:12 AM

/me is generally clueless in this regard, but from what I heard using MAC adresses as a factor is useless as they can easily be faked. Same counts for WEP, though it can be used to stop the most lame attempts to access the network.

What I've basically heard is that you should put your WIFI outside the firewall and then only allow VPN connections.

**magnav0x** · 11-18-2003, 07:37 AM

You are right on both accounts pointwood, but

A) mac address filter is better than NO mac address filter (not all people actualy know what they are doing, this eliminates the MANY that can't even spoof a MAC address....and yes it's very easy to spoof a MAC address if you know what you are doing

) Also, remind you that if DHCP is limited to only (for the sake of example), two DHCP leases and you use MAC filtering. One they have use DoS or other highjack method in order to free up a lease for themselves. Once that is done (if they were smart enough to do some ARPing to get a valid MAC address) then they can spoof a valid MAC addy.

B) As mentioned above, though WEP is weak, it isn't feasible to crack a WEP encryption unless you know for SURE that there is something worthwhile to gain access too. I mean why spend over a week grabbing packets unless you are after something specific?

So, while they are both insecure.....they are better than not having them at all. I'd rather have a hacker in my system that spent well over one week trying to get into it than the casual war driver driving by. BTW VPN (firewall or not) is JUST as insecure to anyone who knows what they are doing

Just look at it this way, no matter what precautions you take, your systems will ALWAYS be vulnerable

So just do what you can and take all available options you have available to secure your system agains those pesky script kiddies

**pointwood** · 11-18-2003, 07:44 AM

In what way is VPN insecure?

UPDATE: I mean I know the encryption isn't *that* strong, but it is good enough, unless you're as paranoid as the NSA

of course VPN is insecure if you compromise a PC with a VPN client. That's probably the biggest risk. I'm interested in whether there are other big risks?

And yes, nothing is 100% secure

or should that be a

Ps. I like your signature

Thread: WiFi Security

Thread Tools

Rate This Thread

Display

WiFi Security

Posting Permissions