www.sunvistacomputerclub.com

Download Report

Transcript www.sunvistacomputerclub.com

Wi-Fi Security
January 21, 2008
by
Larry Finger
Wi-Fi Security


Most laptops now come with built-in wireless
capability, which can be very handy;
however, always remember that the device is
a radio. Whatever it broadcasts can be seen
by any receiver tuned to that channel.
This presentation will cover how to protect
your own (private) network, and how to
protect yourself when you use a public
network.
Wi-Fi Security
A “typical” home network
Wi-Fi Security
Why Secure the home network (part 1)
Protect your information
Using a program called wireshark, I captured data from
the tengointernet wifi. One of the messages contained
the following:
href="/prize/prize-rules.jsp" target="_top">Prize
Rules</a>';.prizes[2]='<a href="/prize/prize-winners.jsp "
target="_top">
This gobbledygook is HTML, the language of web pages.
These data contain no secrets; however, the parts I didn't
show could be used to determine what sites you visit,
etc.
Note: Wireshark does not work with Windows.
Wi-Fi Security


Things are not quite as bad as the previous
slide would suggest.
When really sensitive information such as
bank account numbers, log-in names, and
passwords are transmitted, and you are
using an “https” site, the data are already
encrypted, and are usually safe. I'll cover the
exception later.
Wi-Fi Security
Why secure the home network (part 2)
Keep strangers from using your Internet
connection
You may have excess capacity, and sharing may
not hurt, but what happens if the unwanted guest
is downloading kiddie porn? The Internet record
will point to YOUR connection!!! To my
knowledge, no one has been prosecuted for this;
however, why take a chance?
Wi-Fi Security
How do you encrypt your Access Point? There
are several flavors of encryption:

WEP – Wired Equivalency Protocol

WPA – Wi-Fi Protected Access



WPA Personal (TKIP - Temporal Key Integrity Protocol or
AES - Advanced Encryption Standard)
WPA2 Personal (TKIP or TKIP + AES)
RADIUS – Remote Authentication Dial In User Service –
needs separate server - mostly for companies (highly
secure)

WPA Enterprise – needs RADIUS server

WPA2 Enterprise – needs RADIUS server
Wi-Fi Security
WEP – Use only if it is the only encryption
available!!!
The designers did it badly. Even with the 128bit version, the encryption can be broken in
as little as 5 minutes!
Be aware that the conversion of a WEP
passphrase into a hexadecimal string is not
unique and the key used by your AP may not
match that of the computer!! Put a
passphrase into the AP, but copy the string
for later usage.
Wi-Fi Security


WPA2 Personal – The best available encryption for
the home network. Use this one if it is available.
WPA Personal – This method is less secure than
WPA2, but is designed to work with equipment
originally designed for WEP.
Unlike WEP, the WPA methods can only be cracked
by dictionary attack. If the passphrase is 20
characters or more, cracking is essentially
impossible. Use a strange combination of
upper/lower case and special characters and/or
numbers. My phrase is 28 characters, and includes
special characters. WPA and WPA2 passphrase
conversion is unique.
Wi-Fi Security
How do you set the encryption method?
The answer depends on the maker of your AP.
For the Linksys models, you connect via a
wired connection and point your browser to
192.168.1.1
This address is the default value for these
routers. I'll show later how to determine these
“magic” numbers.
Wi-Fi Security
You will be presented with this window.
No “User Name” is required. Note: If you have
not already changed the default password, do
so now!
Wi-Fi Security
After logging into the router, select the
“Wireless” and “Wireless Security” tabs, and
pull down “Security” to get
Wi-Fi Security
To set up your AP for WPA2 with TKIP + AES,
you would select
Wi-Fi Security
This slide shows the way to generate the WEP
key from a passphrase. Only the “Default”
key will be needed
Wi-Fi Security
If you have a different make of access point,
the process may differ, but in general, you
still will have to contact the IP address of the
AP, log in, and select the encryption method
and passphrase.
To find the IP address that is needed, select
“start/run”, put “cmd.exe” in the box, and click
“Ok”. In the window that pops up, type
“ipconfig /all”. The address listed as the
“Default gateway” for the wired interface is
what you need..
Wi-Fi Security
I have now described what you do to secure
your private network, but what can you do if
you are using a public network such as found
in RV parks, libraries, motels, and coffee
shops?
The solution is a Virtual Private Network or
VPN. Unless your employer has a VPN
server, these are not free. The one I use
costs $40/year.
Note: VPN's will also work with wired
connections.
Wi-Fi Security
A VPN is a network “tunnel” between your
computer and the VPN server. With the tunnel,
ALL transmitted data are encrypted before
leaving your computer and is not decrypted
until it reaches your VPN server, which sends
your data on to the final target. Of course, if you
are using https, there is an additional level of
encryption.
Wi-Fi Security
There are three flavors of VPN's:



PPTP – Point to Point Transfer Protocol
This method is easiest to implement, but relies on a
password that is entered when you connect. It also uses a
less-secure encryption than the other two.
SSL – Secure Sockets Library
This method uses a certificate, which was generated by the
VPN provider, to authenticate the client. No password need
be entered. Both the openvpn and ipsec programs use this
method.
IPSec – Internet Protocol SECurity
This method is very secure; however, it requires
modification to the operating system. Thus, it is harder to
implement.
Wi-Fi Security
Besides encryption, VPN has other benefits:

Access “blocked” sites

Use blocked servers and services

Eliminate “Man-in-the-Middle” attacks
Wi-Fi Security
References
Detailed description of encryption methods:
en.wikipedia.org
The commercial VPN provider that I use:
www.witopia.net
Wi-Fi Security
I will now show you the steps needed to create
a PPTP VPN on Windows.