Which encryption for wireless?

[Edu-IT]

In a school environment, what encryption do people suggest for wireless networks? At home I use WPA but I'm wondering if WPA2 is sufficient for a school environment.

Any feedback appreciated!

[Jaco45er]

do you mean WPA2 personal or enterprise?

If you are not using an 802.1X authentication server, Radius then WPA2 (AES not TKIP or mixed mode) is about as strong as you will get.

TKIP has been compromised, not as bad as WEP was (Airsnort lads have made WEP next to useless) but TKIP can leave ARP compromised, and clever cookies can use this to infiltrate a network.

If WLAN security is vital to you, then authenticate externally I would suggest.

Hope this helps.

[ZeroHour]

tbh what you could do is have no wireless security and use a vpn connection to connect into the network. No big overheads and you just put an ISA firewall between your hub and the network. You can even use that "Logon via dialup" check box (since it *dials* the vpn)

[Edu-IT]

It's out of WPA, WPA2 WEP-64, WEP-128.

We can authenticate against AD on the wireless clients.

Just don't want Joe Bloggs outside to be able to connect, that's all.

[AIT]

WPA2 is the most secure out of any.

WPA2 and WPA is easy to hack if many users connect and disconnect. (can not be hacked when no inactivity)
WEP takes the longest to hack (but can be done when no ones using it)

Out of any i would choose WPA2 (with a random word / numbers)

[Edu-IT]

Cheers!

[cookie_monster]

WPA2 is the most secure out of any.

WPA2 and WPA is easy to hack if many users connect and disconnect. (can not be hacked when no inactivity)
WEP takes the longest to hack (but can be done when no ones using it)

Out of any i would choose WPA2 (with a random word / numbers)

Can you elaborate on that? I was under the impression that WEP was very easy to compromise but that required it to be in use so enough data can be collected to crack the key (same potentially with WPA).

WPA can be cracked by targeting the initial shared key using basically a dictionary attack or a rainbow table.

WPA2 uses the strongest methods and would take longer to crack that the other two.

[plexer]

WPA2 is the most secure out of any.

WPA2 and WPA is easy to hack if many users connect and disconnect. (can not be hacked when no inactivity)
WEP takes the longest to hack (but can be done when no ones using it)

Out of any i would choose WPA2 (with a random word / numbers)

Sorry I think that's completely wrong.

WEP is hacked to the hills.

WPA has been partially compromised.

Ben

[AIT]

Sorry I think that's completely wrong.

WEP is hacked to the hills.

WPA has been partially compromised.

Ben

Yes WEP is very easy to hack but can take up 2 15 minuits.

WPA and WPA2 if not being used is impossible to gain access.

However If you have lots of had shake request and a very fast computer you can easily gain access within 5 minuits. (i have done this)

I would still recommend WPA2. As its much harder to do.

To be totally honest i wouldnt transfer mision critical secure data over wireless anyway.

[cookie_monster]

The FBI demonstrated a WEP hack on a strong key in 3 mins three years ago. WEP is a last resort.

However If you have lots of had shake request and a very fast computer you can easily gain access within 5 minuits. (i have done this)

Is the method you used attacking the passphrase or using another method?

WPA-PSK may be vulnerable to a brute force attack but, with the choice of the right password, it becomes unfeasible. Assuming a decent utility is used, a 31 character long password of random upper- and lowercase letters and numbers results in 62^31, or 3.7x10^55 possible combinations. If we assume 60 attempts per second, it will take more that 1.3x10^36 times the age of the universe (15 billion years) to attempt every possible combination. The average time would be half that, or 6.5x10^35 times the age of the universe. Even if someone were to come up with a scheme that reduced the bruteforce time to 1 trillionth of what would be required otherwise, it would still take 6.5x10^23 times the age of the universe. And so on... Unless someone find another way to get the password (e.g., can determine from traffic (like with WEP), beats it out of me, hacks my laptop, etc.), my WAP will remain secure until long after I'm dead. And that's good enough for me.

http://it.toolbox.com/blogs/unwired/...ng-wpapsk-6730

[sparkeh]

Is the method you used attacking the passphrase or using another method?

Just going to post the same thing, as I understand it the strength of WPA2 is related to the complexity of the passphrase. Using a sufficent strength makes cracking WPA2 infeasible.

[AIT]

Just going to post the same thing, as I understand it the strength of WPA2 is related to the complexity of the passphrase. Using a sufficent strength makes cracking WPA2 infeasible.

Absolutely correct if you use a very week passphrase that’s easily calculated e.g. a word. Then it’s just as easy to gain access as wep. Put a number in there and it will take considerably longer.

[cookie_monster]

Absolutely correct if you use a very week passphrase that’s easily calculated e.g. a word. Then it’s just as easy to gain access as wep. Put a number in there and it will take considerably longer.

Well yes at the end of the day it's just a password but as it's one that you enter infrequently it should be a long one. I don't consider that to be a flaw more poor configuration.

Interestingly

WPA-PSK if deployed with a reasonably complex password of 10 or more random alphanumeric characters has never been broken whereas WEP can be broken in minutes.

http://blogs.zdnet.com/security/?p=826

[jjx]

In a school environment, what encryption do people suggest for wireless networks? At home I use WPA but I'm wondering if WPA2 is sufficient for a school environment.

Any feedback appreciated!

Here's a quick overview for you...
For the full scoop, check out "A Brief History of Wireless Security" at Security Uncorked A Brief History of Wireless Security

KNOWING YOUR NEED
It really depends on the data you need to protect. In the US, we have specific regulations over data protection for personal information, health and financial. A school network could contain:
- Student grades, names, gov ID, addresses <- Personal info
- Student health information (mental/clinical) <- Health info
- Employee names, addresses, gov ID <- Personal info
- Employee health or insurance info <- Health info
- Employee salary and benefits <- Financial data

THREE MINUTE OVERVIEW
Listed most secure to least secure.

1. Enterprise mode 802.11i (WPA2 with 802.1X and AES) > Connects to directory services to authenticate users or machines and uses 802.1X for key rotation. Not currently broken because the encryption is secure (AES) and the key rotation (802.1X) is not broken.

2. WPA or WPA2 with TKIP > Can be broken, but takes much more effort and the keys themselves aren't broken, the checksum is. The vulnerability is in the TKIP encryption (vs AES) and the threats under this type of attack are limited. TKIP was an interim crypto method before all hardware could support AES.

3. WPA2 with PSK > Uses a pre-shared key instead of rotating keys created by 802.1X. Pre-shared keys are more vulnerable, especially when not configured to rotate at all. Even rotating PSKs are not as secure as 802.1X keys. PSKs also do not offer any type of user authentication, since the keys are shared. If someone violates a policy or attacks the network, tracking down the wireless user is much more difficult with PSKs.

4. WEP with PSK > Just don't even do it.

-jj

[AIT]

If you are a school and cant afford to use enterprise mode.
i would simply suggest using wpa2 and putting your wireless nodes on a separate vlan.