[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1449
  • Last Modified:

Wi-Fi and Cable sniffing

I understand that 128 SSL can be broken and that almost all wi-fi originated communications are at high risk of being sniffed. How do you really protect your wi-fi or pc cable originated sessions?
0
bnachmia
Asked:
bnachmia
  • 7
  • 5
  • 4
  • +4
7 Solutions
 
giltjrCommented:
Umm, technically I beleive that any encryption can be broken.  All you need is enough computing power and enough time and you can brut force the keys.

I think what you have have heard is that WEP can be broken by sniffing enough packets and analyzing the packets for patterns.  You can download software do to this.  

WPA is more secure than using WEP and is the recommened method of encrypting Wireless connections.
0
 
Tim HolmanCommented:
Yup.  Wi-fi connections are at high risk of being sniffed, which is why you need to chose strong encryption, and even go to lengths such as reducing wireless power so that only people within a certain area can access your network.
0
 
bnachmiaAuthor Commented:
I found this in wikipedia.
"Protexx is a company providing a secure, encrypted tunnel of up to 2048K Bits, for all wireless and cable users. The company claims it totally impossible to sniff or otherwise intercept data or ip communications between the originating wireless or cable device and the wired internet." Finally found the website as "protexxinc.com"
If 2048 is true, could be a possible solution.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
giltjrCommented:
In my humble opinion the CPU overhead to do 2048 bit encryption would make the communcations very slow.  Heck 128 bit encryption slows down communcations on most desktop comptuers.  Their solution is a VPN.  It does not really protect from your comptuer to the WAP, technically.  It protect from your computer to the end point of the VPN tunnel.

Say you have two home computers, one wirelss and one wired.  On the wireless one you connect to your works VPN that just happens to be using Protexx VPN software.   You also do file sharing with your wired computer at home, but you do not have the Protexx software on this computer because you never communcation with your work's VPN.  All traffic from your wirelss comptuer to your work is encrypted with Protexx's software, but all traffic from your wirelss computer to your wired computer is NOT protected.

The Protexx software is meant to work on top of your normal wireless security, not to replace it.

Think about this, in a wireless world the signals are traveling though the air.  How can then prevent me from intercepting that?  Again, if it is encrypted, I will have trouble decryping it. but I can still sniff it.

What are you trying to protect where you feel that WPA is not secure enough?

0
 
jhanceCommented:
You're talking two different things here:

1) SSL is not involved in wireless directly.  It's an application level protocol that lets a client and server communicate securely.  The most common scheme in use today for HTTPS connections uses a 128-bit scheme which is quite secure.  It can be broken but only over a long period of time using a large number of resouces.  So the NSA or another government agency might be able to decrypt it if they really wanted to (but there are usually much easier ways to get such information) but the average hacker or cyber-criminal will not be able to in a lifetime.

2) There are two main encryption scheme in use on wireless.  WEP, the original incarnation of wireless encryption, while a good scheme suffers from an extraordinarily poor implementation makes it essentially insecure.  The newer WPA encryption is quite secure and is probably more than enough for just about any need you might have.  Some of the newest wireless products are also now adding WPA2 which is even more secure and should be adequate for even the most sensitive applications.

If you are still paranoid, you can also add VPN on top of anything you are doing as well as add IPSEC which encrypts the traffic as well.  All told you could easily get 5 or 6 layers of encryption going between your workstation and a server.
0
 
MalleusMaleficarumCommented:
My recommendation for a practical way to increase your level of protection:

Definitely encrypt your wireless traffic using WPA standard of encryption vs. the WEP standard.

If you only have a one or two computers, consider reducing the number of allowed DHCP clients to two, or the exact number of computers you plan on having online at any one time.
(Alternatively, just statically assign them an IP.)

Turn OFF broadcasting of your SSID.  The SSID is basically the name you assing to your wireless network.  Turning off broadcasting the name of your wireless network will prevent casual war-drivers from locating your network.

Configure your router to only accept connections from the MAC addresses of your wireless interfaces.  The MAC address is a unique serial number assigned to every wireless (and wired) interface that is produced.

Finally, some wireless/wired routers allow you to run a VPN tunnel from the workstation to the router ( check out the Vigor @ http://www.draytek.co.uk/products/vigor2600g.html ) which, as mentioned above, would allow for an extra layer of encryption.

__Mal
0
 
Dushan De SilvaCommented:
Try to use WEP.

BR Dushan
0
 
JJT2750Commented:
I think you should be thinking about WPA and WPA2.

What WPA buys you is 2 things.

1. It gives you some form of authentication who can be on my network and who can't

2. The encryption piece protects your data as it's flying through the air so anyone running sniffer cannot grab your packets out mid air and decode them.

Right now I would suggest WPA2 with AES encryption WPA-PSK can be broken if they grab about 100GB of your data from the air, that should take someone about a year to collect.

WPA2-AES is where you want to be.
0
 
bnachmiaAuthor Commented:
Re Dushon 911's comment: Great suggestion, but WEP, WPA, and WPA2 will not work for hotspots. Also, havn't heard much about the PC to Cable question. Also, we should focus on the mobile client as networks can easily employ all of the bells and whistles if they choose.
0
 
giltjrCommented:
What?  Maybe you need to let us in on what you really want to know or the enviroment you are looking at.  You last comment is the first time you have mentioned hot spots.

Is this for a home wireless, for work, or for hitting hot spots?  What are you accessing when you using the wi-fi network?  The general internet, your home network, or your work network?
0
 
MalleusMaleficarumCommented:
Hmm.. ok, perhaps there was simply an overflow of assumptions on everyone's part.  Usually when people ask about wireless security it is  for a home network.  Perhaps you are inquiring about traffic security in general? Wired vs Wireless and what you can do to protect yourself?  

So here is a brief overview and you can tell me if this is more along the lines of what you were looking for.



The answer is the same for Wired or Wireless traffic.  Encryption is key.

First, let's address your first statement about 128 bit SSL Encryption being broken. It used to be that browsers used 40 bit SSL encryption.

The makers of Web browser software recognized the need to increase the strength of encryption and moved to a new standard, 128-bit encryption several years ago. Compared to 40-bit encryption, 128-bit encryption offers 88 additional bits of key length. This translates to 288 or a whopping 309,485,009,821,345,068,724,781,056 additional combinations required for a brute-force crack.
Based on the past history of improvements in computer performance, security experts expect that 128-bit encryption will work well on the Internet for at least the next ten years.
http://compnetworking.about.com/od/networksecurityprivacy/l/aa011303a.htm

Realistically can this be cracked today?!  Well, I suspect that if your doing something that would raise the attention of a nation state or 3 letter agency, then 128 bit encryption might not help you.  In which case, *I* can't help you either. :)

So, let's assume that 128 bit SSL is pretty safe, and I believe that it is.  All of  the high encryption browsers, banks, military installations, etc, use 128 bit encryption on their servers.

So, for web traffic (because that's mostly where you see 128 bit SSL used)  I would recommend a secure proxy server to tunnel all your traffic through.  A service like https://proxify.com This can encrypt and anonymize all your traffic.  This would prevent someone from intercepting your traffic and being able to do something with it, whether it be wirelessly via cracking WEP or if your hard-wired and someone is sniffing your traffic off a switch.

Encryption is the key (terrible cryptographic pun intended).

:)
0
 
Tim HolmanCommented:
Technically, anything can be sniffed, be it a cable connection, or wi-fi.  Doesn't matter if it's encrypted or not - you can still sniff the 1s and 0s off the wire, or off the air.  I don't think Protex Inc's claims are correct.
0
 
bnachmiaAuthor Commented:
Reply to Tim Holman
Yes you can still sniff the 1s and 0s off the net, however it is a udp packet rather then a tcp packet.
Your data is encapsalated in the udp pack which has the type of packet, destination and data encrypted in the packet
finally 128 ssl is broken, the handshake occurs in the clear, so once you have the handshake, you can crack the encryption.
By the way, Protexx claims are so correct that they are endorsed by HP.

qiltr:  Use of resources
The compression method and encryption algorythm employed actually reduces the cpu overhead - in many cases, no actual change.
0
 
giltjrCommented:
What do you mean by use of resources?  Based on you next statement it seems that you beleive that using this product your will reduce your CPU utilization, which is wrong.

If you are running software on your computer that does data compression and encryption and I am not running that  software, my CPU will be less busy that yours.  It takes much more CPU to compress/decompress and encrypt/decrypt than it does to send 10 times the amount of data (assuming that you are getting about 90% compression).  With compression, based on the amount and type it should reduce the volume of network traffic, but it will not reduce the CPU utiliziation on your laptop/desktop.
0
 
Tim HolmanCommented:
OK - I've just looked at the protexx.com website, and they DO NOT say anywhere that they prevent sniffing.

Sniffing - pulling IP packets off the wire, or out of the air.  You CANNOT stop this.
Cracking - decrypting (if needed) said IP packets into original content.  ANYTHING is crackable (it just takes time...).

We're getting a bit stuck as how to help you here.  I feel we've already answered your original question, so what can we do to help next?
0
 
giltjrCommented:
I have gone back and re-read everything.  I agree with tim_holman that it seems we have answered your question.  I may be interpreting your response wrong, but it almost seems as if you are trying to advertise for protexx.com.

To summarize what has been said:

1) You can't in any way shape or form prevent the sniffing packets on a wireless connection.  The air is not secure.

2) You can make it more difficult to interpret the packets by using encryption.

3) You can make it even more difficult by using multiple layers of encryption.  Using wireless encryption (WEP, WPA, WPA2) and then at the application level (such as ssl'ed http, ssl’e telnet, ssl’ed ftp, ssh, or any other application level encryption), using a VPN, or using both VPN and application layer encryption.

4) protexx's product is just a proprietary VPN with a more difficult level of encryption.

At this point in time all encryption methods are crackable given enough time, cpu and maybe a bit of luck.

What about your question has not been answered?
0
 
bnachmiaAuthor Commented:
Gentlemen, very close, indeed.
Protexx is a "Standardized Open Source VPN" with proprietary encryption algorithms up to 2048 bit.  Pro-actively chosen is a standardized model built on Open Source as to be able to become a "tunnel inside a tunnel" in which you can still run SSL, DES, 3DES, RSA, PGP, WEP, WPA, WPA2 seamlessly. It is a certificate based authentication system to hide the initial handshakes at a high encryption level. Since the keys for the handshake are never public or broadcast there is no way for a potential hacker to access these keys unless they physically break into the Certificate Authority.  Can you say Mission Almost Impossible?
With some semantic modification, when we think of "sniffing", the inference is what lies beyond the "aroma". In today's world, we infer this to be the results of data mined from the sniffing process, and the potential catastrophic damage that the lay public (as opposed to strong enterprise networks) is facing. The "answer" for the client/remote/wireless/cable connected user is to employ the best practices possible and as suggestedby memebers in all of the previous discussion, multiple layers of encryption, starting with the initial handshake, would tend to accomplish the task. Software based solutions resident with and under the control of the mobile/remote client (invoked when desired depending upon the situation), would appear to be the simple solution. Hardware + software based systems carry things to the next level, such as employment of bio secure devices to add additional layers of security. 2048 bit levels portend a very comfortable level of security knowing that the current standard of 128 SSL is no longer truly secure. Yes, I guess the question has been answered, but should remain under constant scrutiny as inadequate communications security practices pose the greatest threat to the individual and national interests today. We can close this question at the convenience of the experts.
0
 
giltjrCommented:
This does not sound like a question to me, it sounds like a sales pitch for Protexx's product.

You claim that 128-bit SSL is not secure, IMHO the rest of the world seems to  disagree.  I may be wrong, but that I am aware of it has not been cracked yet (at least it has not been publicly announced).

There are many products that are truly open source and do everything Protexx product does, execpt for the proprietary encryption, which requires you to use their product, which means their product is not really open source.

Obviously you do not know how this works.  The experts do NOT generally close questions.  If you feel your question has been answered, then you need to accept the first answer that you feels best answers you question, if there are multi-answers, then you accecpt one and have the others as assisted.  Form more information see:

http://www.experts-exchange.com/help.jsp#hs5



0
 
Tim HolmanCommented:
bnachmia - do you work for Protexx?
0
 
giltjrCommented:
That entered my mind too.  I've sat a lot of sales pitches and this sure sounded like one to me.
0
 
Tim HolmanCommented:
Judging by the sales pitch he just emailed me, I'm presuming he has rather close links...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 5
  • 4
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now