Wireless LAN Security

Crapbag

What do you think is the best security package for keeping your wireless network secure? Is there any software out there that is any use at keeping data encrypted while transmitting? Anyone any expiriences? Personally im in college and have a wireless network card, im trying to get something that will encrypted data while being transmitted to the server and access points

happydude13

It would depend on what you are trying to achieve tbh

You could set up a virtual private network VPN, which is independent
of the underlying transport mechanism, ie
It will work the same with wireless or wired networks and it will be
possible on any network that 'supports' ip packets, basically of of em..

But you'd wanna ask more specific questions.

or perhaps do a clusty.com search for "wireless security howto"

dlofnep

Or let's not overlook the obvious - Are you connecting to a WEP encrypted network? If not, suggest to your college's network admin to enable WEP encryption.

seamus

Crapbag wrote:

What do you think is the best security package for keeping your wireless network secure? Is there any software out there that is any use at keeping data encrypted while transmitting? Anyone any expiriences? Personally im in college and have a wireless network card, im trying to get something that will encrypted data while being transmitted to the server and access points

Unless WEP is activated at the wireless access point, all data you transmit will be unencrypted. Even WEP isn't secure though.

Unless the data you're transmitting needs to be secure, then I wouldn't worry about it. For any websites that use https connections, the data will be secure, wireless or otherwise (check the address bar) - Banking, Phone, or any kind of financial sites will usually use this, although more and more sites with any kind of login system are using it now. If you're telnetting into servers, use ssh instead. It's secure by the same virtue of https being secure.
If the data you are sending is to a fixed machine or fixed group of people, you could look into PGP protection, and encrypt all your mails, connections, or use VPN to set up encypted channels.

But it's probably not necessary. Enabling WEP in a college environment is pointless. Those who want to steal your data will still be able to, and the comp services will get such a headache with people coming up and asking for the key, that they'll publish it on their website, rendering the point of encryption null and void.

Remember also that with WEP, data is only secured between the card and the access point. Anyone connected to the wired network can still get their hands on your unencrypted data.

Capt'n Midnight

One problem with WEP is that everyone has the same key. This means anyone on the LAN can eavesdrop on everyone else. It also means you have to trust EVERYONE not to give out the key and you have to figure out a way of giving out the new key, cos if someone got the last one they could see the new one being mailed out etc.

VPN is the best way, because everyone would have a unique key and you could change keys individually and lock out on a per user basis. PPTP , Zebedee and CIPE are supported by both Windows and Linux - PPTP is the easiest to setup if you already have windows servers validating logons.

NB. unless the college have the same encryption mechanism setup and know your key (or hash) then you won't be able to connect.

nosmo

While WEP is frequently written off as insecure, don't overlook it. Locks are insecure, but most people don't leave their front doors open. EAP/LEAP technology are also very secure once set up properly, but there are compatibility issues to be found there, with non-Cisco cards and OSes other than Win 2k/XP.

<sorry, just reread post> If you're just a user connecting to a college access point, there are chances that your college is using encryption already, but if not, look into anonymous browsing solutions suchs as JAP http://anon.inf.tu-dresden.de/index_en.html .

Crapbag

I was told WEP wasnt secure by a lecturer and not to send passwords or anything sensitive over the network. Just was wondering if i could secure it on my end without having to get the network administrator involved as he aint to student friendly

seamus

Crapbag wrote:

I was told WEP wasnt secure by a lecturer and not to send passwords or anything sensitive over the network. Just was wondering if i could secure it on my end without having to get the network administrator involved as he aint to student friendly

No. In order for a connection to be secure, you need both ends of the connection to be in on it.

Think about it: You come up with a secret code, so that everything you say to your mates isn't understandable by anyone else. Except that you can't tell your mates, and you attempt to speak to them in this code anyway. They won't know what you're talking about.

What are you trying to secure? Better to get it into your head, that just like in real life, there are some things that can be kept secret, and some things that will always be in the public domain. Have 3 passwords minimum: One for nonsecure site like boards and email, a second one for banking sites, you mobile phone account, etc, and a third one for network & computer logins, and don't store any of them together - or better yet, don't store any of them at all.

That way if one password is compromised, say your boards account, then your banking and network logins are still secure. By far the biggest risk to any person's or corporation's security is poor user-level security and weak passwords.

Also, as nosmo says, think about it logically. There's no point in succumbing to fear. A standard latch on most Irish front doors are fundamentally insecure - you can find out how to pick them on www.howstuffworks.com . But when's the last time someone picked your lock to break into your home? How many people sitting around you right now have a) The knowledge and b) The desire, to steal your passwords?

Crapbag

I know what you're saying but im in a computing building full of computer students many with wireless capability. Some of these students get a kick out of being able to steal data. I was just wondering if there was any extra level of generic software that would aid WEP but just be a simple deterent.

Rew

seamus wrote:

A standard latch on most Irish front doors are fundamentally insecure - you can find out how to pick them on www.howstuffworks.com . But when's the last time someone picked your lock to break into your home? How many people sitting around you right now have a) The knowledge and b) The desire, to steal your passwords?

He is right to be warry of a college network. I know plenty of people who have abused their college systems for fun and profit given half the chance. Trafic sniffing is a pretty easy way to do this on WLAN.

seamus

Rew wrote:

He is right to be warry of a college network. I know plenty of people who have abused their college systems for fun and profit given half the chance. Trafic sniffing is a pretty easy way to do this on WLAN.

Agreed completely, but how important is one's data? I know exactly what Comp Sci students are like, and it's a bit like having an easily picked lock in an estate full of people who like to burgle for fun now and again.

But there's only so much you can worry about. There are very few unsecured sites where I would be worried about someone getting a hold of my data. If a site is going to be storing/taking sensitive data (Credit card, bank accounts, etc), I make sure it uses https, or I don't use it.

I say 3 passwords minimum, but in reality, if you're worried about compromised security, then your only bet is damage limitation. Use a different password for everything. Not practical, but in the event that someone gets a hold of your password, then they only have access to that system/site, not to anything else of yours.

Basically, as I've said, all encrypted communications needs two parties. The sender and the receiver. There's no way of setting up encryption on your own side to protect your transmitted data.

How to adequately secure one's systems and data over the internet is a discussion that could go on for days and days and days and days and days......

happydude13

Well if you have access to a linux/unix machine that runs a http or socks proxy
you could use a tool like PuTTY to create a secure ssh tunnel between
your computer and the proxy. Then all traffic is encrypted until it gets
to the proxy. I use this on occasion and it works a treat.

mcloughl

IMHO 802.11.b is an inherently insecure solution. Copper wires despite all their many faults and issues dont float their traffic around the ether!

What I do at home is 4 pronged solution...

1>Cloak your SSID - most APs allow this. Make it a least 10 characters with non alpha / numeric content. This will prevent SSID guessing / brute force.

2>Enable WEP at the client and the AP and the longer the key the more secure it is. Also throw in some non alpha numeric content into it.

3>MAC address filtering - enable a static list of MAC addresses that are allowed to talk on your WLAN.

4>VPN - configure your hosts to authenticate with some sort of Token or pre shared secret prior to being allowed on the LAN and use IpSec only.

Also if the LAN is hostile due to the little devils playing on your LAN terminate the traffic in a DMZ. Finally incorporporate an acceptable usage policy and throw out / bar the little gits if they port scan / run exploits or generally act the script kiddie

Even then there is no silver bullet when it comes to WLAN security but newer devices (802.11.x) do allow additional security measures.

Hope this helps

Rew

mcloughl wrote:

IMHO 802.11.b is an inherently insecure solution. Copper wires despite all their many faults and issues dont float their traffic around the ether!

Security through obsecurity is not security!

The same issues apply to wired as much as wireless they are just much harder to exploite on a wired net. Wire taps are much harder to detect, if not impossible with out traceing all your network cable. When was the last time you or anyone you know did a securty audit on physical wireing?

Given another few years Wireless (be it a, b, g and/or n) will be far more secure then wired for the simple reason that it has to be more secure. Wireless controls access to the network (or at least tries to) by default but with wired it has to be retro fitted. Mananagment overhaed is much higher on wired nets as well.

All thats has to be done is a decent implemnetaion of EAP combined with hardware accelerated AES encryption (WEP2/802.11i) and bobs your mothers brother. Tac on support for Time of Arival and Time Diferance of Arival triangulation algorithms and you could locate all your clients in real time as well.