Archive for the ‘Wi-Fi Masterminds’ Tag

Personal PSKs (Wi-Fi Masterminds)

This is the second in a series of posts that I am dubbing “Wi-Fi Masterminds” (TM). I will ask questions to a series of panelists and they will answer in round-robin fashion, where they can answer the question as well as respond to others.

If you have ever seen the show “Around the Horn” on ESPN, that is the type of interaction I am looking for.

I am planning on a pool of 6-8 masterminds, bit will limit each question to a panel of three members. I will try to minimize my own involvement in the questions to only provide structure where needed or correct any factual errors.

Here are today’s panelists: 

keithKeith Parsons CWNE#3@keithparsons http://wlaniconoclast.blogspot.com A gifted  presenter, Keith is known for his wit and broad technical expertise. He holds over 50 technical  certifications and has earned an MBA from the Marriott School of Management. He is author (or editor) of a  dozen technical publications and has developed seven technical certification programs. He travels  throughout North America, Europe, Africa, Asia and Australia in behalf of a wide variety of IT vendors,  explaining networking technology to industry professionals.

Bruce Bruce Hubbert : Bruce is a veteran of the security industry since 1993, currently functions as the Principal Systems Engineer for AirMagnet. Bruce is the primary pre-sales technical expert for this market leading and award winning wireless analysis and WLAN security systems manufacturer. Bruce has represented AirMagnet to the media and has been featured in the Washington Post, New York Times, Wireless Week, The IEEE, EE Times, Information Week, Techworld Japan (in English Here) and on Television on the History Channel’s “Tactical to Practical” and ABC News “Business Now”. You can read Bruce’s wireless blog, “Freakquency” at http://www.hubbert.org/

Ken Ken Hall, CWSP, RFID+As a Senior Technology Solutions Consultant with over 20 years in IT, Ken has designed and/or deployed approximately 100 wireless networks; including the design and initial deployment of the Air Force’s 2nd Generation Wireless LAN. His background includes security, routing, and switching with a smattering of everything else in between. Ken enjoys consulting due to the constant change in architectures and the possibility of helping customers resolve complex networking issues.

Today, the panelists are tackling questions related to the use of Personal Pre-shared Keys (PPSK): 

Several WLAN companies have recently developed alternatives to 802.1X networks that include a per-user pre-shared key (PSK).  What role do you see this technology playing in the enterprise?  What are its advantages? What are the disadvantages? 

Keith:  Traditionally, we have had in the WiFi industry three common ways to access a WiFi network.

1 – Open Authentication

  •             Great for Hotspots
  •             Easy to setup and use
  •             Hand-held devices and VoIP handsets easy to configure
  •             All traffic sent in the clear
  •             No control or QoS
  •             No-cost

2 – Pre-Shared Key (SoHo)

  •             Single authentication key for SSID
  •             Everyone shares the same key
  •             Encryption keys are based from this key
  •             Traffic sent encrypted
  •             Easy to implement
  •             No-cost

3 – 802.1X or 802.11i with a Radius Server

  •             Authenticates Users with a variety of methods
  •             Each user gets unique encryption keys
  •             Hard to setup and configure
  •             May be more costly depending…

But now a couple of vendors are entering the fray with an additional access method. One that has the ease of use of Pre-Shared Keys, but with the per-individual ability of 802.1X!

These PPSK systems offer an alternative to an 802.1X implementation. Guests can be given unique credentials that can be easily revoked, or based on time duration. This makes the management of WiFi encryption much much easier. Client devices also can be more easily configured and can roam quicker using the PSK method.

Depending on the size and security policies of your enterprise, this might be a great new service to speed and maintain security for your now-open WiFi network. I look forward to more vendors opting for this easy, simple solution.

Bruce:  I remember awhile back that T-Mobile allowed it’s subscribers to utilize 802.1x with EAP-TTLS and PAP via their hotspots (http://www.hubbert.org/2006/12/t-mobile-wpa-without-nasty-client-sw.html) and I used that method all the time. It was fast and secure. I wish more Hotspot providers would do that. It just used you standard login as a T-Mobile subscriber.

There is also the company, DeviceScape who has a method to pre-authenticate you to a hotspot without the nasty splash page, which is handy. Neither of these systems, however can assist you if you rolling out to an Enterprise or SOHO. There you are stuck with 802.1x and WPA/WPA2-PSK

I am not a big fan of Proprietary systems and I think most IT administrators agree. It can lead one down a long road to a possible dead end with a large amount of time and effort wasted. If you are Ruckus or Aerohive or Aruba and your system is a good one, then why not pony it up to the IEEE for consideration. I really do like the idea of per-user PSK’s, however, so I am hoping that these vendors do the right thing and present it as a new task group. Pre-Shared Keys, especially ones with a real world association (think “a real English word or phrase”) have serious issues. With only one key used to authenticate, the hacker need only crack it to get in. per user PSKs would theoretically allow you a much higher degree of control as you might be able to limit access to subnets on a per user basis.

I was at ShmooCon in Washington DC in 2006 when RenderMan release the Church of WiFi Rainbow Tables (http://www.renderlab.net/projects/WPA-tables/) which made it quick and trivial to crack pre-shared keys for both WPA and WPA2. The solution? On his website, RenderMan puts it this way:

‘The fact that we found a way to speed up WPA-PSK cracking does not mean that it is broken. Far from it. The exploit used by coWPAtty and other similar tools is one of dumb passphrases. The minimum number of characters for a WPA-PSK passphrase is 8. The maximum is 63. Very few users actually use more than about 20 characters. As well, they also choose known words and phrases, likely to be in a dictionary. This allows us to leverage a human element in obtaining the key. 

To get decent protection from WPA-PSK, you should use a very long, very random, alphanumeric string longer than 20 characters. To protect yourself further, particularly against the WPA-PSK hashtables, you should use a SSID not on the top 1000 list. This will force the attacker to compute their own list, rather than use one of the CoWF tables.

All that said; you should be using WPA2 with a radius server to get more reliable protection.”

I think time will tell, through testing, debate and consensus building which method is best but I am resisting any method not adopted by the industry as a whole.

Ken:  Maybe I’m old-fashioned, but I typically keep my employee access limited to PEAPv0 (EAP-MSCHAPv2) and guest access to open authentication/no encryption or a captive portal/walled garden. While a per-user PSK may be beneficial in some solutions, I believe it will prove to be a niche-market. Most organizations want to decrease the amount of management required to implement a solution. With a typical, centrally-managed, overlay WLAN solution, once it’s initially configured, it doesn’t tend to need a great deal of extra management. All of the wireless users are already managed through other resources (i.e. AD, LDAP, etc.); and guest users are severely policy restricted and quite possibly on a physically separate network, so the typical recommendation would be for them to use a layer 3 method (i.e. VPN, etc.) for their encryption. The per-user PSK will increase the amount of “touch” required to manage those unique users/devices, but at the same time will provide a more secure previously unavailable method of authentication/encryption mechanism. So, yes, I believe it is a feasible technology and there is certainly a case for it…but, I also believe that it will see more application specific deployment than wide-spread adoption and use.

What do YOU think?  Are Personal PSKs a legitimate form of WLAN security or just marketing fluff?  Let our panelist know what you believe by submitting a comment! 

Related Posts:

Importance of WIDS/WIPS (Wi-Fi Masterminds)

This is the first in a series of posts that I am dubbing “Wi-Fi Masterminds” (TM). I will ask questions to a series of panelists and they will answer in round-robin fashion, where they can answer the question as well as respond to others.

If you have ever seen the show “Around the Horn” on ESPN, that is the type of interaction I am looking for.

I am planning on a pool of 6-8 masterminds, bit will limit each question to a panel of three members. I will try to minimize my own involvement in the questions to only provide structure where needed or correct any factual errors.

Without further delay, let’s meet today’s panelists, shall we?  They are… 

jennifer Jennifer Huber CCNP, RFID+, CWNE #51  @jenniferlucille  — Jennifer has over 8 years of  experience in the networking and wireless engineering industry. She has a solid background in  supporting, designing, deploying, and troubleshooting 802.11a/b/g/n Enterprise wireless    installations, as well as the ability to take complex information and explain problems and solutions in  terms that are easily understood. 

keith Keith R. Parsons, CWNE #3:  – @keithparsons   http://WLANiconoclast.blogspot.com — A gifted  presenter, Keith is known for his wit and broad technical expertise. He holds over 50 technical  certifications and has earned an MBA from the Marriott School of Management. He is author (or editor) of a  dozen technical publications and has developed seven technical certification programs. He travels  throughout North America, Europe, Africa, Asia and Australia in behalf of a wide variety of IT vendors,  explaining networking technology to industry professionals.

joel Joel Barrett, CWNP#6: @joelbarrett  —  Joel Barrett is a senior-level wireless networking architect  with Cisco Systems. Joel consults primarily with large enterprise customers concerning complex  wireless deployments. He is an author of wireless industry books and lexicographer for “The Official  CWNP Dictionary of Wireless Terms and Acronyms”.

 

I asked the panelist the following questions:

How important do you think wireless IDS/IPS functionality is in an enterprise WLAN?  What do you think are important features of wireless IDS/IPS systems? 

Here is what they had to say… 

Jennifer:  The need for robust IDS/IPS alerting is essential in enterprise WLANs used in environments where the security of WLAN data is of import, or may be required by law.  Generating a baseline of WLAN usage, and implementing periodic auditing could mitigate the impact of a data breach, or prevent a repeat of the 2007 T. J. Maxx data theft incident.  Implementing a WIPS/WIDS system is usually one of many steps toward HIPAA or PCI compliance.  The ability of the WIPS/WIDS system to determine if a rogue AP is connected to the enterprise network is especially beneficial when determining the real threat of the rogue device.

Keith:  I agree with Jennifer’s initial description of the value of a wireless IDS/IPS system. I too have noticed the initial value of a WIDS is in the area of security. Being able to configure the correct security alarms for the intrusions your company cares about is paramount. A WIDS straight out of the box will give hundreds, if not thousands of alarms. The first step should be to correctly choose and configure the alarms your firm cares about tracking. Then build the proper response to those alarm triggers, i.e. document the remediation process for each alarm. As you clear each alarm category, then slowly add more alarms to the WIDS system until you get to where your firm wants to be. 

In my clients, they purchase a WIDS for security – but then received the best ROI based on the performance alarms and learning to better adapt the performance characteristics of their Wireless LAN – thus getting double, triple or higher throughput increases. Yes, the security is important, but a great WIDS/WIPS should also help you to troubleshoot and ‘tweak’ your Wireless LAN as well.

Joel: Wireless IDS/IPS is important because, for any establishment that accepts credit cards, PCI DSS compliance requires it. Customers who don’t accept credit cards should still implement WIDS/WIPS so they are aware of security threats and can take steps to reduce or eliminate rogue devices. In my opinion, it is more important to do continual monitoring rather than just periodic monitoring, as required by PCI DSS.

The most important feature, after detecting rogues, is the ability to produce meaningful reports so that management can understand what needs to be done to properly, quickly, and legally deal with those rogue devices.

What do YOU think?  Let our panel know by submitting a comment! 

Related Posts: 

Wi-Fi Masterminds

I am starting a new series here called “Wi-Fi Masterminds” (TM).

I will ask questions to a series of panelists and they will answer in round-robin fashion, where they can answer the question as well as respond to others.

If you have ever seen the show “Around the Horn” on ESPN, that is the type of interaction I am looking for.

I am planning on a pool of 6-8 masterminds, bit will limit each question to a panel of three members. I will try to minimize my own involvement in the questions to only provide structure where needed or correct any factual errors.

I am drawing the masterminds from several different wireless vendors & VARs as all as individual consultancies. I would like to keep the discussion as vendor neutral as possible. I understand that it may be necessary to refer to vendor specifics from time to time, but have asked all panelists to be respectful of other vendor viewpoints.

My first question is about wireless IDS/IPS systems and is meant to piggyback off of recent content I published here as well as on my Computerworld blog.

Feel free to suggest future topics and/or volunteer as a panelist. When the first post is published (hopefully in the next day or two), let our panel know what you think by submitting a comment of your own.