Solved

Wireless security settings

Posted on 2010-09-15
17
530 Views
Last Modified: 2013-12-27
We are in the process of looking into creating wireless access points on our network for 40 computers.  Can anyone provide advice as to the most appropriate wireless security settings and/or explain the pros and cons of the different options?
0
Comment
Question by:DHPBilcare
  • 7
  • 5
  • 2
  • +3
17 Comments
 
LVL 1

Expert Comment

by:Robert Davis
Comment Utility
WPA 2 is strongest, having a authentication service like radius is best but a pre shared key also works well.  WEP can be cracked in a matter of seconds.  For 40 hosts I recommend having multiple lite weight APs with a controller, cisco and others offer these, so the hosts don't cross talk and the load can be distributed.  I would also no broadcast your ssid.  Does this help you?
0
 

Author Comment

by:DHPBilcare
Comment Utility
It does thanks for the comment.  I am moving towatds WPA 2 with a shared key.

What wold I need for Radius?  Would I need a dedicated server?
0
 

Expert Comment

by:dusty_it
Comment Utility
When designing a wireless network there many other parameters you have to take in account, not only security, please review your needs in terms of bandwidth per computer, where they are located (blind spots, walls, etc.).

Talking about wireless security you should choose WPA or WPA2 (better) with a long passphrase. WPA is vulnerable only to brute force dictionary attacks, if you choose a passphrase of, let's say, 30 characters (with digits, letters mixed uppercase and lowercase), your network should be sufficiently secured.
0
 
LVL 1

Expert Comment

by:Robert Davis
Comment Utility
Yes, you would need a dedicated server that would handle logins for each user which radius then uses to encrypt the traffic.  It is much more involved and more maintenance as well.  A good long wpa 2 psk with a good ssid that isn't broadcasting is bullet proof enough.  With any security, if someone wants in bad enough, no amount of security will stop them.

My concern would be how close to each other those 40 hosts are and how many APs in what locations you have, rather than the encryption.  Encryption can be changed fairly easily.  You may want to consider a consult for your hardware side if you haven't spent money already...
0
 
LVL 1

Expert Comment

by:Robert Davis
Comment Utility
Or just going with a much cheaper wired solution if possible,
0
 
LVL 12

Accepted Solution

by:
naykam earned 500 total points
Comment Utility
I would strongly recommend WPA2 enterprise using certificates and RADIUS authentication.

This is the ideal senario. If you have an active directory, then it could seamlessly integrate the wireless credentials into the user accounts.

Further to that, the use of certificates would make it just that more secure. There is a lot of documentation online in regards to 'wireless AD authentication / wireless radius authentication using IAS or NPS'.

> am moving towatds WPA 2 with a shared key.
>What wold I need for Radius?  Would I need a dedicated server?

The answer is no, you will not need radius for a pre-shared key. Your wireless hardware would support this natively. For WPA2 enterprise (in a nutshell) you need radius, as it handles the authentication hand shakes.

If you go for a pre-shared key, as mentioned, it will be sufficient for most practices. But it really comes down to how secure the rest of your network is. But the points of securing it with a long and complex (no dictionary words) key then you can at least say, that you 'have tried your hardest'. Hiding the SSID can become a pain in the backside, unless you have group policies that manage the wireless network profile for each computer. Hiding it really doesn't provide any more 'security' on the network, but it does stop random people trying to connect to it, and generating a large disallowed log file.

In my opinion, WPA enterprise is the only way to go. It may be a bit more to setup, but data integrity is key.
0
 
LVL 1

Expert Comment

by:Robert Davis
Comment Utility
You can crack WPA when you know the ssid and get a good packet sniff, not broadcasting greatly reduces this chance.  Having to deal with RADIUS, an authentication server/AD, and users login along with not all hosts/cards supporting enterprise has an arguably equal amount of issues over typing in an ssid once, or even posting it up on the wall like most datacenters.  We use radius with AD, but I sure as heck don't at home despite the data being just as sensitive.  I just use a mac filter table and don't broadcast with a PSK.

It sounds like this network is not very complex though, although it would be nice if you'd let us know what you'd like to accomplish.  I'm not trying to shy you away from RADIUS, it's a tried and proven system that a lot of businesses use with plenty of documentation.  If you want the most security, go RADIUS with LWAPs that have their signal strengths reduced so they don't broadcast outside.  But using a wired solution is MUCH cheaper...then you can use MAC port security to lock down your network from unauthorized users (which you can also do on your wireless controller).  Most users seem to spend a lot of time securing their wireless network, and not their wired.

Let us know what you want to accomplish, the sensitivity of the data you are passing wirelessly, and the reason you want to go wireless.  This will greatly help determine what route is best for you.  Also remember the best security you can apply is on the data itself via SSL, AES, and general safe practices (don't fall for phishing attempts etc.).  The media will always be your weakest point, as media is easy to passively tap, especially over the air.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
Comment Utility
in regards to wireless and security, without a doubt go with Naykams solution.
You should never, never and never go with anythinh other than Radius/Tacacs (AD/Directory) authentication, authenticating both computer and users.

Why - because it's unbreakable.

Why not PSK:
- Pre shared keys leak. You tell 10 people the PSK, and within a couple of weeks - someone stopping by at the office, gets the PSK by someone, cause the need wireless - or someone else.
- When you change PSK - you need every single user to change PSK

With Radius - all wireless settings, and changes can be controlled through GPOs, every single computer has its own encryption key - and it changes regularly (when using WPA2) - so packet sniffing is wasted, you'll never get enough packets to hack the keys.

All other options;
Hiding SSID
MAC filters
- just more hassle and false security
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Expert Comment

by:Robert Davis
Comment Utility
I beg to have you argue your point.  Hiding the SSIDs totally prevents passerby from sniffing from the outside world.  And if you have a packet sniff of the psk, and have the ssid, it's a matter of 17 minutes to crack it, radius is much further behind but of course crackable.  MAC filters on the other hand, are a lot safer.  Sure you can spoof...if you know what to spoof.  Coupled with pork security in sticky mode and your network is locked down with little effort done.  2 Minutes of work for exponentially higher security, sounds like a good trade off to me.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
Comment Utility
all legitimite packets sent in a network with a hidden SSID - contains the SSID in the header.
using inSSIDer, og any other free siffing software - will not tell you the SSID

Get a real wireless packet sniffer, you can EASILY pick ut the hidden SSID.
So much for security --- though it might prevent Brian, 14 yrs old next door - it will not prevent Brian 19yrs old - "hacker" with the ability to google ...

on what basis can you claim that a WPA2 encryption key is cracked within 17 minutes?
when cracking encryption keys, it's all about getting enough packets, which is easy enough for WEP - where key doesn't change, og WPA where all users can share key.
but with WPA2 - every single station has it's own key - changing like every 6 minutes -- happy hacking - Will not work, not even on a sunny day!
0
 
LVL 20

Expert Comment

by:Jakob Digranes
Comment Utility
0
 
LVL 1

Expert Comment

by:Robert Davis
Comment Utility
Indeed, we use airmagnet in conjunction with kismet for site surveys.  As said a million times, there's always a way to crack it.  I don't see what your beef is with not broadcasting ssid or using mac filtering/port security when it really doesn't take any time to implement and drastically improves network security.  It's easy, for a noticeable gain, end of story.  In my experience cisco radius solutions and users having weak forgetful passwords cause way more issues then a forgotten ssid or mac change.  Just my $0.02
0
 
LVL 20

Expert Comment

by:Jakob Digranes
Comment Utility
I've never said hiding SSID is wasted,
but it should be used together with Radius ---
I've might misunderstood you - thought you claimed that hiding SSID and mac filtering is better than RADIUS -- and of course, that's not the case.

You should always - when securing wireless - start with RADIUS/TACACS, everything else would come as an bonus
0
 
LVL 1

Expert Comment

by:Robert Davis
Comment Utility
Ah, if you read my first posts--radius is safer.  But for the op, it kind of comes down to what kind of operation this is and what his experience and budget is.  There are definitely times where PSK is far more practical, despite the increased risk, that's my only other point.  Cost, hardware, drivers, knowledge are a few concerns.
0
 
LVL 25

Expert Comment

by:madunix
Comment Utility
read this http://www.linux-magazine.com/w3/issue/119/048-049_kurt.pdf
If you are looking for a cheap and secure wireless router setup, check out Tomato, DD-WRT, or OpenWrt.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
Comment Utility
Still --- i wouldn't recommend anyone of deploying anything other than 802.1x secured wireless in a business environment ---
PSK, hiding SSID and mac filtering is less secure, and or high maintenance ...
And 802.1x with Win2008 NPS or Win 2003 IAS is fairly easy, and if you skip certificate deployment as well - and use only computer account with user re-authentication it's, if possible, easier --

0
 

Author Closing Comment

by:DHPBilcare
Comment Utility
Thanks for the comments.

For us Security is the key and our parent company has insited on RADIUS authentication.  We have asked for an expert to come on site and look at what we will need going forward.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now