Method to encrypt traffic over WiFi…Suggestions???



  • Ok, first off, I am not too sure that this is the right place for this, but figure someone in here can probably point me in the right direction if not.

    So, I have just introduced wireless into my network and am looking for a way to encrypt the traffic over the wireless link.
    I have read that using WPA-Enterprise (with a radius server) will do this at this link:
    http://blog.witopia.net/index.php?/archives/8-What-does-SecureMyWiFi-WPA-Enterprise-really-do.html

    Second to last paragraph they say:
    "Once on, all wireless traffic between the user and the AP is encrypted."

    Is this true?  I haven't managed to find this statement anywhere else yet.

    Otherwise, if this is not true, would a VPN solution work for a local network?

    If so which type? I want all traffic over wireless to be encrypted on a windows (mostly) network.

    Any links to info on this type of thing would be very helpful.

    thanks



  • Yes, with WEP, WPA, and WPA-E all traffic is encrypted. WEP is unsafe and is not recommended. WPA with passphrase is much more secure than WEP and is easier to implement than WPA-E. Of course any data going over a wireless connection is not 100% secure, but if you used WPA along with a VPN it would be very close. That said, WPA is typically strong enough for wireless.

    Make sure if you use WPA passphrase to create a random 256bit passphrase.
    You can obtain a random 256bit (63 characters) passphrase here: https://www.grc.com/passwords.htm

    Using a 256bit passphrase will make it extremely tough to be cracked and would take a long time. I also recommend changing the passphrase at least every 6 months.



  • Ok, good to know, thanks.

    I am using WPA2-personal which I guess by default means AES encryption.
    I do have a 63 character passphrase.
    I generated that from here:
    http://www.kurtm.net/wpa-pskgen/

    Would there be any added security benefit to me using a radius server on top of what I already have?
    I would like to get the best security that I can for the wireless.

    I could try running it on the pfsense box or another server on my LAN.



  • WPA-Enterprise is about the most secure wireless available right now. So yes there would be an added benefit to using it.



  • Ok well I will look around for a how to on getting radius going on pfsense.

    Does anyone have a link handy for this type of thing?

    thanks



  • WPA PSK with AES, when used with a key longer then 21 chars would take you more then 150.000.000.000.000 years to crack if your average speed for bruteforcing keys is 60 keys a second. So i would not worry too much. WPA is broken the following way. You need to grab the 4 frames containing the initial handshake, then bruteforce it against a dictionary. In order to have a safe transmission all you need to care about is not using something fitting a dictionary attack, and I dare say you should be pretty safe. Use hide SSID and possible add a MAC filter just to make it harder. With enough time everything can be broken. But WPA with a non dictionary key of more then 21 chars should be more then enough to keep you safe.



  • wpa-psk is one key for all users
    wpa-e    is a differend key for every user

    so by wpa-psk you can scan all packets and get the key
    by wpa-e you have to scan a singel user to get his key


  • Rebel Alliance Moderator

    Just a quick sidenote:

    Use hide SSID

    Please don't. It does not help you gain a security advantage in any kind of way. With a bit of more work than "fire up windows and scan wlans around you" you'll see the AP anyway and by overhearing packets you'll get the name sooner or later anyways. This just helps to worsen the situations in spots where many APs sit near each other. The "normal" user don't get to see your AP and fires up his own - just with the same settings (frequency/channel/speed) as your own. Benefit? Nope.
    Instead I talked with a few WLAN users and told them to use a SSID with sense. Mail-adress or Location e.g. So if you have problems with a spot near you - you know where to go and talk. May not help? Perhaps, but without it it won't either. Had good results near our company headquarter and in my hometown where users get in touch with each other and could coordinate their wlan settings. Just a thought.

    Other than that I have to fully agree to lsf ;) And with the dan using 63 char passphrase I think PSK with AES is quite secure :)

    Greets Grey



  • I have seen some accesspoints that support a rogue ap detection. They scan for already used channels in range and switch to the most far away channel that is not conflicting with the detected Accesspoint(s). Maybe this is something we could add as a feature. Where you can set channel "auto" and check "rogue AP detection". Then  a cronjob could scan for other APs and hop to another channel to avoid conflicts.


  • Rebel Alliance Moderator

    You're my man ;) That would indeed be a nice addition to the feature set (which is simply gorgeous atm) :)



  • Hide SSID just makes it a bit harder to find your AP, that is all, as for the negative effects sure, if you do not know what you are doing then it could potentially make users use the same channels etc. But a serious user should allways do a site survey with a spectrum type analyzer. In the 2.4 ghz band you will find lots of interference that is not 802.11 traffic, so you will have to use a spectrum analyzer anyways. You will find stuff like dect phones, wireless audio/video transfer, wireless alarm systems, and a bunch of other things. So relying on a AP scan to find a "noise free" channel does not work in real life. Atleast not in the 2.4Ghz band. DFS +TPC will however give a nice result in most cases.



  • @jeroen234:

    wpa-psk is one key for all users
    wpa-e    is a differend key for every user

    so by wpa-psk you can scan all packets and get the key
    by wpa-e you have to scan a singel user to get his key

    I am the only user anyway…this is just in my apartment.
    There are about 5 other AP's that I can see from my apartment. 
    All are weak signals.
    None using anything greater than wep for security.

    I learned a lot in this thread.
    Since all traffic across the wireless link is encrypted and it appears that I am using the best possible security that a single user can (WPA2, 63 random character key)...

    I'm happy with what I have now.



  • @danbutter:

    @jeroen234:

    wpa-psk is one key for all users
    wpa-e    is a differend key for every user

    so by wpa-psk you can scan all packets and get the key
    by wpa-e you have to scan a singel user to get his key

    I am the only user anyway…this is just in my apartment.
    There are about 5 other AP's that I can see from my apartment. 
    All are weak signals.
    None using anything greater than wep for security.

    I learned a lot in this thread.
    Since all traffic across the wireless link is encrypted and it appears that I am using the best possible security that a single user can (WPA2, 63 random character key)...

    I'm happy with what I have now.

    In your situation, WPA-psk will be fine for you. I would recommend that you change your wireless key every 6-12 months. I would also recommend reducing the transmit power to the lowest acceptable power that you receive good reception at.



  • I am personally using a WPA-Personal (TKIP) with a 63 (random) key.  I am also doing a MAC Filter so even a ethernet device can't pass traffic or get DHCP on the network w/o being in the list (can't wait till I can MAC filter ONLY firewall as this is very extreme for most) and am going to be setting up a OpenVPN tunnel from end-client to AP to increase the encryption of the data "flowing over the airwaves"
    Now this is very extreme and does create a fair bit of overhead so you get even less max through put because of the WPA and then the VPN tunnel but if you trying to protect your information as much as you can then I believe this is about as secure as you can get 802.11x for now.

    Oddly I use this all for my house (currently just a desktop and laptop), but I do consulting from my house and prefer to protect my clients information as much as I can (while it's within my network).



  • im no uber-geek, but, a few thoughts.

    • if WPA-Personal sends your MAC first unencrypted to the AP, then a sniffer can get your MAC from that couldnt it?

    • MAC filtering is great unless someone captures your MAC and spoofs it right?

    • if you go to ONLY MAC filtering then you would actually be going backwards securtiy wise since an attacker could ether knock your connection and try to take it over themselves or just wait till your gone or shutdown and connect as you right?

    just a thought



  • By all means MAC filtering is VERY weak, but I have in my list as just another step to crack.  If you want in badly enough and have the time anyone and everyone can get into any wireless network, but why not make it that much more fun for a wireless hacker IMO.


Log in to reply