+ Post New Thread
Page 4 of 5 FirstFirst 12345 LastLast
Results 46 to 60 of 61
Wireless Networks Thread, WEP Hacked in Technical; If i were you i wouldn't waste my time setting up another PSK wireless setup. It looks like your access ...
  1. #46

    Join Date
    Jul 2010
    Posts
    106
    Thank Post
    0
    Thanked 14 Times in 14 Posts
    Rep Power
    11
    If i were you i wouldn't waste my time setting up another PSK wireless setup.
    It looks like your access points support 802.1x so i would go for WPA/WPA2 enterprise, it would take less than an hour to get a test setup going.

  2. #47

    Join Date
    Sep 2013
    Location
    UK and Europe
    Posts
    115
    Thank Post
    0
    Thanked 56 Times in 46 Posts
    Rep Power
    11
    802.1X will require an authentication server and certificate services, this is a terrible option. The problem is encryption, not authentication.

    WPA/WPA2 enterprise is not something you knock up in an hour, it needs thorough testing and an experienced admin to even try.

    NM

  3. #48

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,625
    Thank Post
    49
    Thanked 460 Times in 336 Posts
    Rep Power
    140
    Quote Originally Posted by neilmac View Post
    WPA/WPA2 enterprise is not something you knock up in an hour, it needs thorough testing and an experienced admin to even try.
    This bit indeed is true.

    I certainly wouldn't agree that 802.11x is a Terrible Option.

    Clearly NM you have no experience of having to meet PCI/DSS compliance which is another "Well published collection of best practises" dreamt up by a bunch of so called experts that is then pushed to the limits by another bunch of so called experts called Penetration testers that in turn will tell you that 802.11x is the only way to secure your network!

    In the next breath all of these so called experts find themselves being ridiculed when the likes of our High St Banks are infiltrated by gangs using simple KVM and hardware keylogging systems!

    WPA/WPA2 PSK is fine as a 1st layer means of securing your Wireless network and should be used with a strong key and is probably enough to defend your home network from unwanted guests and neighbours especially if used with other measures such as client isolation. (I would add that all of my neighbours have been compromised) especially the the one that set his SSID to "Hack This" which I promptly changed to "OK Then".

    It most certainly is not the best option of protecting your network per say.

    In a school where you may have 1200 kids and 100 staff wanting to access the private WLAN on a daily basis the risk of your PSK becoming public knowledge is high and the overhead of having to change it regularly also has to be considered.
    BYOD has increased the threat of network compromise to new levels many of which are yet to be seen on this forum.

    Operating a correctly managed and VLAN segmented Guest network and keeping your corporate/campus segments totally locked down to your approved devices and users is the only secure way to do it.

    Anything else is just a compromise.

  4. #49

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833
    We use 802.11x and WPA2 here. No reason why you can't do both!

  5. Thanks to localzuk from:

    m25man (25th September 2013)

  6. #50
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,782
    Thank Post
    213
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    TKIP was made to run on the same hardware as WEP devices. It is very secure and NOT practically hack-able if used properly. TKIP is not an encryption method so comparing TKIP to AES is wrong. (BUT often labelled that way) Use TKIP on your old hardware it's really a step up from WEP.

  7. #51

    Join Date
    Sep 2013
    Location
    UK and Europe
    Posts
    115
    Thank Post
    0
    Thanked 56 Times in 46 Posts
    Rep Power
    11
    The last few commenters - you are absolutely right about 802.1X.

    We are referring to user WepHack who has old equipment with varying levels of compatibility and low user skills. His immediate problem is a crackable WEP implementation. His immediate course of action should be to replace WEP with WPA2, with additional support for WPA for those devices that only support WPA.

    Now, in the longer term, WPA2 Enterprise (802.1X) is absolutely the right solution. It's the only way to authenticate the user or device accessing the network, and to provide a Robust Secure Network (RSN).

    When WepHack gets round to upgrading his network he should definitely implement a managed solution with enterprise security.

    Now, those of you who have commented and who are using WPA2 enterprise, I am sure you will agree with me that implementing it is not something you can do easily and quickly. It requires planning, testing and finally time to implement, and it's absolutely worth it in the end.

    So to correct my statement, it's not that 802.1X is a terrible idea, it's that I wouldn't advise WepHack to use it now to fix his current problem. When he upgrades though he absolutely should.

    There are alternatives too - Ruckus have dynamic Pre-Shared Key system that gives each user their own key that can be time limited and revoked.

    As for security compliance, there are many policies that organisations are required to adhere to, from PCI mentioned by m25man to HIPAA, ISO27000, SARBOX and many more. Tools such as AirMagnet WiFi Analyzer and AirMagnet Enterprise will scan a network and immediately highlight where a network fails any of these policies. It can also scan against a custom policy. (Enterprise Network Security - AirMagnet Enterprise | Fluke Networks)

    AME is in use in financial institutions and healthcare, it's probably overkill for a school, however you should definitely look into new offerings from AirTight, where security checking is built into the access points - AirTight Wireless Intrusion Prevention System

    The point here is that when you are dealing with environments like education, there is an expectation of privacy and security of data. If there isn't a mandated security policy then the school and IT department need to develop one. Check out CWNP's Certified wireless Security Professional CWNP | Certifications) for training on understanding threats and developing policy.

    Overall, your responsibility as an admin is to make the network as secure as you can.

  8. #52

    Join Date
    Sep 2013
    Posts
    25
    Thank Post
    35
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Could length of WPA key cause compatibility/connection issues with some devices? I'm trying to troubleshoot why some of our mishmash of devices won't connect to WPA.

  9. #53

    Join Date
    Sep 2013
    Location
    UK and Europe
    Posts
    115
    Thank Post
    0
    Thanked 56 Times in 46 Posts
    Rep Power
    11
    Yes. What are you using right now and what are the options available ? (on the access point)

  10. Thanks to neilmac from:

    WEPHack (25th September 2013)

  11. #54

    Join Date
    Sep 2013
    Posts
    25
    Thank Post
    35
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I was trying with a 504 bit key. The suggestion is that light is 64 bit, and medium is 160 bit. From what has happened a reasonably long key would be wise in case someone tries to write it down (albeit we'll try and prevent access to the key as best possible).

    The APs are certainly accepting the 504 bit key, but our Android tablets here don't seem to like it. So many variables though it's hard to know whether it's this, the level of encryption, or AP compatibility.

  12. #55

    Join Date
    Sep 2013
    Posts
    25
    Thank Post
    35
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Education is certainly a difficult environment. You have extremely sensitive data combined with low budgets for hardware, and are then expected to work miracles. A lot of staff, including senior staff, just don't realise the pressure. To boot I've been trying to sort out a mess of an IT department for a couple of years now, replacing hardware that desperately needs sorting, along with all the documentation required to properly support. This is with minimal human resources as well.

  13. #56

    Join Date
    Sep 2013
    Location
    UK and Europe
    Posts
    115
    Thank Post
    0
    Thanked 56 Times in 46 Posts
    Rep Power
    11
    You don't need a 504 bit key, that's probably the problem. Do you have an option for an ASCII key or is it HEX only ?

    By the way, WPA/WPA2 are WiFi alliance designations, so it you check the devices WiFi alliance certificates and it's listed then they should be compatible and interoperable. Your WG302 is certified for WPA and WPA2.

    Keep is simple, a short ASCII key will be fine if it's complex enough, 10 characters is good.

    As for the environment, I come across this all of the time. I don't know why schools/IT departments are so resistant to a) getting trained on wifi basics and b) calling for professional help. WiFi is not easy to deploy correctly, it's a difficult and complex technology and needs careful planning and design, yet the expectation on the IT staff seems to be that you should just nail up access points in any old place and expect to get enterprise class performance. Bizarre !

    Anyhow, focus on the problem in had for now, get a stable tested connection.

    What errors are you getting when you try to connect ? How have you set up the SSID ?

    NM

  14. #57

    Join Date
    Sep 2013
    Posts
    25
    Thank Post
    35
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by neilmac View Post
    You don't need a 504 bit key, that's probably the problem. Do you have an option for an ASCII key or is it HEX only ?
    It doesn't seem to differentiate and just has a single field for entry of the key. I'm using a website based generator to create the key.
    Quote Originally Posted by neilmac View Post
    By the way, WPA/WPA2 are WiFi alliance designations, so it you check the devices WiFi alliance certificates and it's listed then they should be compatible and interoperable. Your WG302 is certified for WPA and WPA2.
    That's good news at least! Although I'm wary of these WAPs as they just seem to behave strangely. Even more so our newer Netgear WAPs, the WNDAP350.
    Quote Originally Posted by neilmac View Post
    As for the environment, I come across this all of the time. I don't know why schools/IT departments are so resistant to a) getting trained on wifi basics and b) calling for professional help. WiFi is not easy to deploy correctly, it's a difficult and complex technology and needs careful planning and design, yet the expectation on the IT staff seems to be that you should just nail up access points in any old place and expect to get enterprise class performance. Bizarre !
    Certainly where we are it's just pressure at every level i.e. not enough budget to easily change what's an expensive item (both consulting and hardware) when done properly, and getting training is not easy when you're required most of the time. It's not impossible though, and a wireless replacement was already pencilled in for next FY, although it's still likely to be £10-20k+, even more with a possible change also required to our wired infrastructure (new higher bandwidth switches, VLAN setup etc.).
    Quote Originally Posted by neilmac View Post
    What errors are you getting when you try to connect ? How have you set up the SSID ?
    With the tablets I've not had much chance to troubleshoot. It sees the SSID on a scan, but just doesn't connect. SSID is just an alphanumeric string with the name of the school and a "2" at the end. No spaces or symbols.

  15. #58

    Join Date
    Sep 2013
    Location
    UK and Europe
    Posts
    115
    Thank Post
    0
    Thanked 56 Times in 46 Posts
    Rep Power
    11
    You could also lease the solution rather than face a large up front expenditure. I know of fully managed systems (aruba access points + cloud management) for around 30 GBP per access point per month, including hardware upgrades every 3 years. It's fully managed and supported so you don't have to learn anything. Airtight offer similar.

    Back to the problem. Set up one ssid on an access point, with WPA encryption. Get a leptop and remove all of the predefined wlan profiles, then try to connect to the access point as if it were a new connection. View the AP logs to see if it gives you any diagnostics.

    NM

  16. Thanks to neilmac from:

    WEPHack (25th September 2013)

  17. #59

    Join Date
    Jul 2010
    Posts
    106
    Thank Post
    0
    Thanked 14 Times in 14 Posts
    Rep Power
    11
    Please note i said a test setup in an hour. You would only need the RADIUS server (very easy to setup) as most people running 802.1x use PEAP and not EAP-TLS, PEAP only requires a server side certificate which can be created with self ssl or one of the many free certificate websites.

    I agree the problem is that the encryption key has been compromised but what is to stop this happening again?? just changing the key to WPA is not a fix as this key can still be compromised.
    I have not done this for a while so please correct me if i am wrong but the only way to deploy WEP/WPA keys is via a profile with a login script which is a bit of a pain and you run into the same problem if the profile gets compromised.

    WPA/WPA2 Enterprise is much more secure and allows settings to be pushed out very easily via group policy, it will only let devices or users you specify to connect to the network.

  18. Thanks to apeman from:

    WEPHack (26th September 2013)

  19. #60

    Join Date
    Sep 2013
    Location
    UK and Europe
    Posts
    115
    Thank Post
    0
    Thanked 56 Times in 46 Posts
    Rep Power
    11
    @apeman - You are right, anyone responsible for WLAN security should be setting up and testing security methods. If they don't know how or don't have time then they should be getting help.

    Someone with no experience is going to struggle to work out how to set up enterprise encryption. A lot of people do have problems trying to deploy it, which is why they end up with PSK. There are lots of forum posts of users asking for advice.

    For anyone who has to deploy 802.1X, this is a great book: http://www.amazon.co.uk/Implementing.../dp/0470168609

    Ruckus invented Dynamic Pre-Shared Key as an alternative to 802.1X, giving an equivalent level of security with a simplified setup method - Ruckus Wireless Awarded Wi-Fi Security Patent for Dynamic Authentication and Encryption | Ruckus Wireless - I see from the poll in another post there are a lot of Ruckus users, it would be good to hear if any of them use Dynamic PSK. Also read: Ruckus Introduces Secure Hotspot - (Note - I am not commercially linked with Ruckus). Aruba and AirTight have alternatives to 802.1X also (though I am not as familiar). If anyone knows of other vendors with similar solutions then do say.

    If Radius is your bag, then here are some tips: The 9 Best Low-Cost RADIUS Servers -- ServerWatch

    It would be interesting to ask everyone how they implement security, maybe people could comment back or open a new thread, I am genuinely interested in hearing about it.

    NM

  20. Thanks to neilmac from:

    WEPHack (26th September 2013)

SHARE:
+ Post New Thread
Page 4 of 5 FirstFirst 12345 LastLast

Similar Threads

  1. Website hacked...
    By _Bat_ in forum Web Development
    Replies: 8
    Last Post: 27th July 2007, 09:17 AM
  2. Are we being hacked?
    By Paul_L in forum General Chat
    Replies: 2
    Last Post: 13th September 2006, 08:31 AM
  3. Replies: 34
    Last Post: 9th May 2006, 12:56 PM
  4. Text WEP key for hex input
    By NetworkGeezer in forum Wireless Networks
    Replies: 2
    Last Post: 16th March 2006, 07:16 PM
  5. Video demonstrating hacking WEP in 10mins
    By Geoff in forum Wireless Networks
    Replies: 11
    Last Post: 3rd February 2006, 06:40 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •