Blogcast: Securing Wireless Networks w/ Cisco 1200 AP's
Recently Ive been doing some Securing Wireless Networks presentations around the place and theres often a few questions on how the process works so Ill cover that here aswell. As usual Ive blogcasted the configuration and those are at the end.
Why do we want more secure wireless?
Doh! We all know how in-secure current wireless technologies are that rely on Wired Equivalent Privacy (WEP). A 128bit WEP key can now be cracked in as little as 3 minutes by collection of around 500,000 frames of traffic. This can be achieved on 802.11g (54MBits) access points in 2 mins 40 secs and on 802.11b (11Mbits) AP’s in 8mins 20 secs according to Steve Riley. An important note to mention is that neither 802.11b nor 802.11g do not mandate anything to do with encryption or authentication. This then begs the question...can wireless networks be secured effectively?
How can we secure wireless?
As WEP itself has major flaws, a solution need to be found it order to mitigate (but not completely solve) the problem till a better solution could be formed. 802.1x, an authentication standard was combined with WEP encryption to provide not only authentication and access control to wireless access (who are you and do you have access?) but importantly key rotation in order to mitigate key sniffing and thus rotate the key before it became compromised. As we now know that keys can be cracked in as little as 2 mins 40 for a 54Mbit Wireless Access point going at full rate this means that your window of key rotation in the 802.1x solution must be less than this using EAP authentication. Even though the solves the initial problem at hand of WEP flaws, this solution still doesnt address the issues of disassociation attacks and packet spoofing attacks.
So essentially EAP/802.1x with WEP provides:
Authentication – really important to use to define based on ACL’s who can and cant access the wireless network
Rotating encryption with WEP 128 bit (dynamic WEP) – WEP itself is still notoriously vulnerable but rotating it certainly helps to mitigate the risk
EAP (protocol for authentication) provides the choice of PEAP (MS-CHAPv2 with credentials) /EAP-TLS (Digital Certificates) for authentication and access control
Which introduces us to WPA. WPA addresses all of the issues associated with the WEP encryption flaws, disassociation attacks and packet replay attacks. It builds in authentication (RADIUS), uses a different protocol for encryption (TKIP) and builds in support for authentication services along with an integrity check of the initial client association with the access point. While WPA itself hasnt been cracked, it was only ever an interim measure till 802.11i was ratified. WPA2 is really the commercial implementation for 802.11i and takes the encryption level a step further by building in "government grade" AES encryption.
Its also important to note that whether using 802.1x/EAP with WEP or WPA, the choice of authentication (PEAP, EAP-TLS or others) is still yours to make. WPA doesn’t care about the authentication itself as that is handed off to a RADIUS provider and a yes/no response from the auth provider defines whether you have access or not
For home use WPA-PSK is provided which is an initial (and common to all clients) fixed key used to provide the initial encryption before the key is rotated. Because it’s fixed it doesn’t scale well in a business environment (has to be input into all clients like WEP keys), and this is especially where access control becomes important. For this reason its important to still use WPA/WPA2 with an authentication provider (RADIUS) in order to provide a more scaleable and manageable solution. For home use, WPA-PSK is fine. Thus home users can use WPA just like businesses and enjoy the same level of security (key rotation and encryption) without the backend infrastructure that businesses have.
Heres some excellent reading on the WPA2 standard and implementation guidelines if youre interested in some light reading :)
Why wouldnt I just choose WPA2 now?
So while it’s a very good thing to move to WPA (and even better to WPA2), theres one key factor in why you may not be able to. The more immediate downside of WPA and WPA2 are that older hardware may not either support it or at best require a hardware flash update to upgrade it. Thus 802.1x/EAP and WEP may the solution you end up using for compatibility reasons, just be aware of setting your key rotation times appropriate depending on the speed of Access Point hardware you choose. Move to WPA/WPA2 as soon as you can move the hardware or if you see a significant risk
Blogcast How To's
So anyway, as I promised, I always like to show how its done.
Secure Wireless Networks Part 1 covers the basic server side configuration and Cisco 1200 Wireless Access Point configuration.
Secure Wireless Networks Part 2 covers the client side configuration