Method to encrypt traffic over WiFi…Suggestions???

danbutter · Jan 22, 2007, 2:37 PM

Ok, good to know, thanks.

I am using WPA2-personal which I guess by default means AES encryption.
I do have a 63 character passphrase.
I generated that from here:
http://www.kurtm.net/wpa-pskgen/

Would there be any added security benefit to me using a radius server on top of what I already have?
I would like to get the best security that I can for the wireless.

I could try running it on the pfsense box or another server on my LAN.

yoda715 · Jan 23, 2007, 9:14 PM

WPA-Enterprise is about the most secure wireless available right now. So yes there would be an added benefit to using it.

danbutter · Jan 23, 2007, 9:36 PM

Ok well I will look around for a how to on getting radius going on pfsense.

Does anyone have a link handy for this type of thing?

thanks

lsf · Jan 24, 2007, 5:46 AM

WPA PSK with AES, when used with a key longer then 21 chars would take you more then 150.000.000.000.000 years to crack if your average speed for bruteforcing keys is 60 keys a second. So i would not worry too much. WPA is broken the following way. You need to grab the 4 frames containing the initial handshake, then bruteforce it against a dictionary. In order to have a safe transmission all you need to care about is not using something fitting a dictionary attack, and I dare say you should be pretty safe. Use hide SSID and possible add a MAC filter just to make it harder. With enough time everything can be broken. But WPA with a non dictionary key of more then 21 chars should be more then enough to keep you safe.

jeroen234 · Jan 26, 2007, 12:14 PM

wpa-psk is one key for all users
wpa-e is a differend key for every user

so by wpa-psk you can scan all packets and get the key
by wpa-e you have to scan a singel user to get his key

JeGr · Jan 26, 2007, 12:44 PM

Just a quick sidenote:

Use hide SSID

Please don't. It does not help you gain a security advantage in any kind of way. With a bit of more work than "fire up windows and scan wlans around you" you'll see the AP anyway and by overhearing packets you'll get the name sooner or later anyways. This just helps to worsen the situations in spots where many APs sit near each other. The "normal" user don't get to see your AP and fires up his own - just with the same settings (frequency/channel/speed) as your own. Benefit? Nope.
Instead I talked with a few WLAN users and told them to use a SSID with sense. Mail-adress or Location e.g. So if you have problems with a spot near you - you know where to go and talk. May not help? Perhaps, but without it it won't either. Had good results near our company headquarter and in my hometown where users get in touch with each other and could coordinate their wlan settings. Just a thought.

Other than that I have to fully agree to lsf ;) And with the dan using 63 char passphrase I think PSK with AES is quite secure :)

Greets Grey

hoba · Jan 26, 2007, 2:42 PM

I have seen some accesspoints that support a rogue ap detection. They scan for already used channels in range and switch to the most far away channel that is not conflicting with the detected Accesspoint(s). Maybe this is something we could add as a feature. Where you can set channel "auto" and check "rogue AP detection". Then a cronjob could scan for other APs and hop to another channel to avoid conflicts.

JeGr · Jan 26, 2007, 3:07 PM

You're my man ;) That would indeed be a nice addition to the feature set (which is simply gorgeous atm) :)

lsf · Jan 26, 2007, 7:19 PM

Hide SSID just makes it a bit harder to find your AP, that is all, as for the negative effects sure, if you do not know what you are doing then it could potentially make users use the same channels etc. But a serious user should allways do a site survey with a spectrum type analyzer. In the 2.4 ghz band you will find lots of interference that is not 802.11 traffic, so you will have to use a spectrum analyzer anyways. You will find stuff like dect phones, wireless audio/video transfer, wireless alarm systems, and a bunch of other things. So relying on a AP scan to find a "noise free" channel does not work in real life. Atleast not in the 2.4Ghz band. DFS +TPC will however give a nice result in most cases.

danbutter · Jan 26, 2007, 7:35 PM

@jeroen234:

wpa-psk is one key for all users
wpa-e is a differend key for every user

so by wpa-psk you can scan all packets and get the key
by wpa-e you have to scan a singel user to get his key

I am the only user anyway…this is just in my apartment.
There are about 5 other AP's that I can see from my apartment.
All are weak signals.
None using anything greater than wep for security.

I learned a lot in this thread.
Since all traffic across the wireless link is encrypted and it appears that I am using the best possible security that a single user can (WPA2, 63 random character key)...

I'm happy with what I have now.

yoda715 · Jan 27, 2007, 8:14 AM

@danbutter:

@jeroen234:

wpa-psk is one key for all users
wpa-e is a differend key for every user

so by wpa-psk you can scan all packets and get the key
by wpa-e you have to scan a singel user to get his key

I am the only user anyway…this is just in my apartment.
There are about 5 other AP's that I can see from my apartment.
All are weak signals.
None using anything greater than wep for security.

I learned a lot in this thread.
Since all traffic across the wireless link is encrypted and it appears that I am using the best possible security that a single user can (WPA2, 63 random character key)...

I'm happy with what I have now.

In your situation, WPA-psk will be fine for you. I would recommend that you change your wireless key every 6-12 months. I would also recommend reducing the transmit power to the lowest acceptable power that you receive good reception at.

techie_g33k · Jan 27, 2007, 7:04 PM

I am personally using a WPA-Personal (TKIP) with a 63 (random) key. I am also doing a MAC Filter so even a ethernet device can't pass traffic or get DHCP on the network w/o being in the list (can't wait till I can MAC filter ONLY firewall as this is very extreme for most) and am going to be setting up a OpenVPN tunnel from end-client to AP to increase the encryption of the data "flowing over the airwaves"
Now this is very extreme and does create a fair bit of overhead so you get even less max through put because of the WPA and then the VPN tunnel but if you trying to protect your information as much as you can then I believe this is about as secure as you can get 802.11x for now.

Oddly I use this all for my house (currently just a desktop and laptop), but I do consulting from my house and prefer to protect my clients information as much as I can (while it's within my network).

goofyfoot · Feb 11, 2007, 6:56 AM

im no uber-geek, but, a few thoughts.

if WPA-Personal sends your MAC first unencrypted to the AP, then a sniffer can get your MAC from that couldnt it?
MAC filtering is great unless someone captures your MAC and spoofs it right?
if you go to ONLY MAC filtering then you would actually be going backwards securtiy wise since an attacker could ether knock your connection and try to take it over themselves or just wait till your gone or shutdown and connect as you right?

just a thought

techie_g33k · Feb 14, 2007, 4:44 AM

By all means MAC filtering is VERY weak, but I have in my list as just another step to crack. If you want in badly enough and have the time anyone and everyone can get into any wireless network, but why not make it that much more fun for a wireless hacker IMO.