Wireless
HI Experts,
I've setup in my lab, the below wireless routers
Linksys wireless router WPA-PSK [network authentication] and TKIP [data encryption]
Also, another router (same model) but WEP for network authentication.
What tools (eg wireless NIC, programs) I need to be able to crack my key so I can secure it properly.
I know disabling the SSID is an excellent way of security it. Also, using certificate is another way.
appreciate any feedback
mcse2007
I've setup in my lab, the below wireless routers
Linksys wireless router WPA-PSK [network authentication] and TKIP [data encryption]
Also, another router (same model) but WEP for network authentication.
What tools (eg wireless NIC, programs) I need to be able to crack my key so I can secure it properly.
I know disabling the SSID is an excellent way of security it. Also, using certificate is another way.
appreciate any feedback
mcse2007
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Don't use WEP, WPA2 is not going to be cracked, no matter what tool you choose. Never disable SSID, it makes workign with wireless an unnecessary pain. People cna find the SSID anyway. Make it non-descript (Don;t make it the name of your business).
The WPA-PSK with TKIP is not too bad. But it is only as secure as your key. Like all passwords, the two criteria are 1) make it long (more than 8 characters) 2) Make sure it is not something from the dictionary (phrases are good "Mary had a little lamb," 3) Make it easy to remember (so people don't write it down on a sticky note on the monitor)
Grizzlies suggestion of a Radius server is good too.
The WPA-PSK with TKIP is not too bad. But it is only as secure as your key. Like all passwords, the two criteria are 1) make it long (more than 8 characters) 2) Make sure it is not something from the dictionary (phrases are good "Mary had a little lamb," 3) Make it easy to remember (so people don't write it down on a sticky note on the monitor)
Grizzlies suggestion of a Radius server is good too.
These comments are all correct - I can verify that they are valid and that you will be good using the guidelines and suggestions provided in them.
I'll add to it that there is no need for making a wireless key easy to remember in Windoze.
The wireless key is to be entered normally only *once*, when you establish your profile; And Windoze stores it on your machine. Anyone (almost) having access to your machine can get all the keys for all wireless profiles. It is also stored in the router and available from there.
So you might as well write it in some (hidden) text file. And you can give a copy of that file to any guest you might invite on your wireless network.
So there is no excuse not to use a 63-char key. And change it regularly!
The wireless key is to be entered normally only *once*, when you establish your profile; And Windoze stores it on your machine. Anyone (almost) having access to your machine can get all the keys for all wireless profiles. It is also stored in the router and available from there.
So you might as well write it in some (hidden) text file. And you can give a copy of that file to any guest you might invite on your wireless network.
So there is no excuse not to use a 63-char key. And change it regularly!
Except that everytime oyu change it, all of your wireless users have to manually change/reenter it. If you have an office with 20 laptop users, that is a pain. And if it is long, or complex, they will write it down. Even if it is not that hard to get off of an unattended PC, it still is yet another vulnarability. A short key that is in a dictionary could be cracked through brute force regardless of how good the encrption is. Every character added to the password increases the time for the brute force attempt exponentially. "Mary had a little lamb," would fail a dictionary lookup attack, and would take a brute force attack by even a supercomputer a thousand years to break. If you make it "Q234*duH%%p" someone will write it down on and slap it on their monitor. (and complain every time they have to re-enter it).
But if I make it &c?_dXpWnQr,s2[2ti$.2M9+XT
Again, such key is to keep outsiders out, not insiders. All wireless keys can be pulled out from Windows very easily once you have access to a machine.
Again, such key is to keep outsiders out, not insiders. All wireless keys can be pulled out from Windows very easily once you have access to a machine.
And yes, sure, my users hate me. That's why I'm paid for ;-)
Laptops go outside the network all of the time, and are the primary (usually exclusive) users of wireless. Having the key in a file on the desktop, or in email can expose the key, and then let someone with another laptop access whenever they want -- until you change the key. Most environments never change their wireless key, or change it very infrequently.
You did not get it. All wireless keys ever used by Windoze on a machine can be retrieved in a snap.
Okay, so we both agree that you can get the keys if you have access (the people who know how to do that. -- WirelessKeyView) And we agree that access to the laptop itself is the main vulnerability. So, if we aren't going to stop a determined hacker, our goal should be to stop brute force attacks from outside, and stop lower skilled people who can't use the determined hacker approach (the kind of people known as script kiddies) or casual office workers looking over your shoulder. That means we want to use keys that the user can remember in their head, and not write down.
You point out yourself that a long incomprehensible key is of no added value, as a determined hacker can get that anyway. Also, where I come from, elegence in security is in reducing risk, while maintaining, or increasing usability for the user. A major decrease in ease of use for the user, for a very small reduction in risk is not a good tradeoff.
Also, my suggestions regarding passwords were general, and not exclusively for wireless security.
We can both agree that changing the wireless key periodically makes good sense. For a network admin, finding a balance between reducing risk by changing it often, and ease of use for the user by never chaning it is a judgment call. A key change once a day is dysfunctional. A key change one a year is too isecure. Depending on the nature of the given business, and the potential cost of losing data can determine what is right for a given business. For some businesses once a week may be prudent, and for other businesses 90-120 days may be ideal.
You point out yourself that a long incomprehensible key is of no added value, as a determined hacker can get that anyway. Also, where I come from, elegence in security is in reducing risk, while maintaining, or increasing usability for the user. A major decrease in ease of use for the user, for a very small reduction in risk is not a good tradeoff.
Also, my suggestions regarding passwords were general, and not exclusively for wireless security.
We can both agree that changing the wireless key periodically makes good sense. For a network admin, finding a balance between reducing risk by changing it often, and ease of use for the user by never chaning it is a judgment call. A key change once a day is dysfunctional. A key change one a year is too isecure. Depending on the nature of the given business, and the potential cost of losing data can determine what is right for a given business. For some businesses once a week may be prudent, and for other businesses 90-120 days may be ideal.
"I know disabling the SSID is an excellent way of security it."
You're dead wrong.
"What tools (eg wireless NIC, programs) I need to be able to crack my key so I can secure it properly. "
Such tools are reserved for experts. Just get yourself a randomly generated 63-char key and change it regularly.
Setting up a Radius server would protect your network and offer control over who gets in on your network.