Security Corner

Jun 20 2008   1:02AM GMT

WiFi Security–The Only Way is WPA

Ken Harthun Ken Harthun Profile: Ken Harthun

Please note: since this article was posted, WPA-TKIP has been found to be vulnerable. See my post of 2008.11.13 entitled “WPA-TKIP Vulnerable to Attack” for more information.

It’s far too easy to set up WiFi for your home or business; all you have to do is go to your local electronics superstore and pick up a wireless router, plug it in to your network, and connect to it. The default configuration of most consumer products–completely open with no security enabled–will allow you to connect without having to enter any configuration information into your wireless PC. That’s why in any given neighborhood you’ll see multiple unsecured wireless network connections available. Most public WiFi hotstpots are also unsecured, open connections. If you just surf the web and send an occasional email, you might be OK (besides the fact that anyone in range can connect to and use your Internet connection), but the moment you start using your PC for banking, making purchases, and paying bills online, that wireless connection absolutely must be secured. It must be done right, and there’s really only one right way to do it. Before I explain that, let me tell you what not to do:

1. Don’t rely on SSID hiding. I’ve seen numerous articles that tout SSID hiding as a security measure (and one CISSP, no less, is recommending it!) While this technique may serve to hide your network from casual view, there’s nothing secure about it: the SSID is transmitted in clear text in every packet and is easily sniffed by wireless packet sniffers. For example, Network Stumbler will identify the SSIDs of any network within range, regardless of whether or not the wireless access points are broadcasting.

2. WEP is broken. Using 40,000 to 100,000 packets, which can be captured in about a minute, you can crack a WEP key in about three seconds on a Pentium M 1.7 GHz PC. Don’t believe me? Check it out: This list even provides video tutorials on how to do it. Sure, it provides a small measure of security and it’s better than nothing, but why use something that’s already been proven inferior? Would you feel more secure knowing the garage where your store that vintage Corvette is protected by a Master lock or one you bought at an everything-for-a-dollar store? Your personal information is much more valuable than that car.

3. Don’t bother with MAC address filtering . I don’t know why so many people are recommending this. MAC address filtering is equivalent to SSID hiding–it’s virtually useless, except to keep a casual user from inadvertently connecting to your wireless network. Like the SSID, MAC addresses are sent in clear text within the network packets and can easily be discovered and spoofed by anyone sniffing your network.

So, what’s the right way? WiFi Protected Access, known by its acronym, WPA. There are two versions: WPA-Personal and WPA-Enterprise. WPA-Personal relies on a pre-shared key (PSK), while WPA-Enterprise requires a special authentication server and is therefore more suited to corporate environments. WPA implements 128-bit encryption and as long as you create a strong, unguessable passphrase, it’s completely secure. Configuring WPA-PSK on a given wireless router depends on the brand, but you can find a general tutorial at this site.

And that, my dear reader, is Maxim #13 in the How to Secure Your Computer series of articles:

When it comes to securing a WiFi network, the only way is WPA.

5  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Tony Bradley
    As a fellow professional writer and blogger (and fellow IT Knowledgebase Blogger), as well as the CISSP who wrote the article in question regarding disabling the SSID broadcast (as well as having written about MAC address filtering), I thought I would respond. Your points 1 and 3 imply that those who suggest such things suggest them in a vacuum, or as the sole, silver-bullet method of safeguarding a wireless network. In most instances, or at least speaking for myself- that is not the case. Yes, disabling SSID broadcasting and MAC address filtering in and of themselves will not completely protect your wireless network from attack or unauthorized use. But, it will, as you yourself mention, protect the wireless network from casual users inadvertently connecting. In the grand scheme of all users in the world with wireless-enabled equipment, what percentage would you classify as "casual users" and what percentage do you think roam around with the skills, the tools, and the motive to sniff out my hidden SSID and connect to my network? I assure you that the odds of a casual user passing through my neighborhood, or even a neighbor living nearby inadvertently connecting to my network is significantly higher than the chances that some rogue hacker with uber skills is going to target my network. It is not a silver bullet. Companies in particular need to implement other measures such as WPA2 encryption and additional authentication such as RADIUS, and segregate their wireless network from the physical LAN. But, I can sit in my living room and pick up 10 networks. Six of them are open and unencrypted. Four of them have encryption of some sort. If I wanted / needed access to a wireless network, you can bet that I am going after the unprotected low-hanging fruit rather than trying to break the encryption on the four that are 'secured'. And, there may be another 10 out there with SSID broadcast disabled that are relatively safe because I am also not going to waste my time trying to find them when I have 6 open networks readily available. So, I agree with all of your points. Hiding SSID is not secure by itself. WEP is not secure by itself. MAC address filtering is not secure by itself. However, they are all valid parts of a layered defense that helps to make your wireless network less appealing to an attacker than the open, unencrypted, publicly available network your neighbor is running.
    595 pointsBadges:
    report
  • Tony Bradley
    Also - WPA / WPA2 is also breakable and can not be relied on, by itself, to protect your wireless network ([A href="http://www.aircrack-ng.org/doku.php?id=cracking_wpa"]Tutorial: How to Crack WPA / WPA2[/A]). Filtering MAC addresses or disabling the SSID broadcast could provide an added layer of security to protect the WPA/WPA2 encrypted network.
    595 pointsBadges:
    report
  • Ken Harthun
    S3kur3 (nice moniker, BTW) is quite right: A layered approach to security is always superior to a single, "silver bullet" approach. Go ahead and use SSID hiding and MAC [B]filtering along with WPA[/B], but don't think that a three-layered approach using WEP instead of WPA is truly secure. I stand by my assertion that WPA is the only way to do the encryption.
    1,270 pointsBadges:
    report
  • Ken Harthun
    S3kur3 also points out that WPA/WPA2 is crackable. We can have a quite lively debate over this! (I invite S3kur3--any anyone who else who cares to--to email me at ken at harthuntechnologies.com) The article he cites says, "The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length." Further, cracking WPA is a very computation-intensive process: "...[the]computer can only test 50 to 300 possible keys per second...[using the aircrack-ng program described in the article]." Even at a speed of 10,000 keys per second, it would take 22,875 years to crack m^P2sswd. So, I challenge anyone attempting a brute force attack to spend the next 10 quintillion, 533 quadrillion, 833 trillion, 66 billion, 248 million, 927 thousand years (this is a rough calculation) trying to discover all possible combinations of ‘Qt6W’{/b?@mn,QL”Q%. Anyone who has followed my advice about unguessable passwords is immune to an Aircrack-ng attack. My point in these articles is to try to get people to think with security in mind, not blindly follow someone's advice whether or not he or she is an expert, certified professional, recognized authority, or whatnot. Anyone even remotely involved with information security should thoroughly evaluate the advice they give to those less enlightened. If you apply all of the 13 Maxims I've issued to date (several more to come) you're more secure than most of the corporate clients I serve.
    1,270 pointsBadges:
    report
  • Tony Bradley
    Fair enough on both counts. I in no way meant to suggest that WEP is adequate protection- just that even a WEP encrypted network is less appealing to an attacker than an unencrypted network, and since there are unencrypted networks every 100 yards or so, the chances of someone wasting the time to crack your WEP are fairly low. Point taken on the ability to crack WPA2. I submit that a layered approach is still the wiser approach though because what takes '10 quintillion, 533 quadrillion, 833 trillion, 66 billion, 248 million, 927 thousand years' to crack today, may only take 30 minutes a year from now with Moore's Law and advances in cryptography.
    595 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: