Secure wireless network by using adsl modem Router with wpa2-psk



Download 35.5 Kb.
Date27.01.2017
Size35.5 Kb.
#8781
secure wireless network by using ADSL Modem Router with WPA2-PSK

he pre-shared key can be made up of letters (upper- and lowercase), numbers and some symbols (i.e. underscores (_), hyphens (-), etc)

WPA2 is the latest industry-standard method of protecting your wireless network. 

What is WPA2 - PSK ?



WPA stands for "Wi-Fi Protected Access", and PSK is short for "Pre-Shared Key."

There are two versions of WPA: WPA and WPA2.



WPA2 is the latest generation of Wi-Fi security which comes in combination with other encryption methods like PSK [TKIP or AES] which is also called WPA2 Personal.

WPA2-PSK [AES] is the recommended secure method of making sure no one can actually listen to your wireless data while it's being transmitted back and forth between your router and other devices on your network.

As with other network settings, to change your wireless encryption, you must log in to your router's configuration page.

The initial steps and settings may differ depending on your router's brand and model, but in general, here are the steps:

Note: It is recommended to get help from someone who knows how your systems are connected (for example, your Network Admin or IT Team) if it is your first time changing the settings in your router.

Securing your Wi-Fi® connections is an important element of securing your personal data. A Wi-Fi network using WPA2™ provides both security (you can control who connects) and privacy (the transmissions cannot be read by others) for communications as they travel across your network. For maximum security, your network should include only devices with the latest in security technology – Wi-Fi Protected Access® 2 (WPA2). Wi-Fi CERTIFIED™ devices implement WPA2.

Most Wi-Fi equipment is shipped with security disabled to make it very easy to set up your network. Most access points, routers, and gateways are shipped with a default network name (SSID), and administrative credentials (username and password) to make configuration as simple as possible. These default settings should be changed as soon as you set up your network.

It’s also important to consider employing other measures to secure your communications after they travel beyond your Wi-Fi network. Tools like personal firewalls, Virtual Private Networks (VPNs) and HTTPS can help reduce the risk of compromised privacy and security for internet traffic.

- See more at: http://www.wi-fi.org/discover-wi-fi/security#sthash.cNIDoL7x.dpuf



Wi-Fi Protected Setup is an optional feature that simplifies and standardizes the process of configuring and securing a Wi-Fi network. It configures the network name (SSID) and WPA2 security for the gateway and client devices on a network and makes adding a new device to your network as easy as pushing a button or entering a personal information number (PIN). Products certified for Wi-Fi Protected Setup are available at major electronics retailers and display this identifier mark on their packaging. - See more at: http://www.wi-fi.org/discover-wi-fi/security#sthash.cNIDoL7x.dpuf

Securing a new network


  • Change the network name (SSID) from the default name

  • Change the administrative credentials (username and password) that control the configuration settings of your Access Point/Router/Gateway

  • Enable WPA2-Personal (aka WPA2-PSK) with AES encryption

  • Create a network passphrase that meets recommended guidelines

  • Enable WPA2 security features on your client device and enter the passphrase for your network

Checking security on an existing network


When you add a new device to your Wi-Fi network, it’s a great time to make sure you’re taking advantage of the highest level of security. Take the opportunity to ensure your network is configured for WPA2.

If your network was set up some time ago, or a service provider (e.g consultant or cable provider) configured your home network, it may be worth checking that it’s configured for the highest level of security. If your network is configured for an older generation of security (WEP or WPA), Wi-Fi Alliance® recommends you move to WPA2. WPA2 has been required on all Wi-Fi CERTIFIED products since 2006 – the vast majority of Wi-Fi CERTIFIED devices in service today are capable of WPA2.


Passphrase quality & lifespan


A secure network passphrase greatly enhances network security, so it is important to select an effective passphrase. In general, increasing length, complexity and randomness all improve the quality of a passphrase. Wi-Fi Alliance recommends that a passphrase is at least eight characters long, and includes a mixture of upper and lower case letters and symbols. A passphrase should not contain a word found in a dictionary and should not include personal information (identification number, name, address, etc).

Periodically changing the passphrase on your network also increases security.


On-the-go


Once users have experienced the convenience and freedom of working wirelessly, they want to take their Wi-Fi devices on the road. Here are some tips for securing your Wi-Fi devices when using them away from your home network.

  • Enable WPA2 security: All of your Wi-Fi client devices (laptops, handsets, and other Wi-Fi enabled products) should use WPA2.

  • Configure to approve new connections: Many devices are set by default to sense and automatically connect to any available wireless signal. Configuring your client device to request approval before connecting gives you greater control over your connections.

  • Disable sharing: Your Wi-Fi-enabled devices may automatically enable themselves to sharing / connecting with other devices when attaching to a wireless network. File and printer sharing may be common in business and home networks, but you should avoid this in a public network such as a hotel, restaurant, or airport hotspot.

- See more at: http://www.wi-fi.org/discover-wi-fi/security#sthash.cNIDoL7x.dpuf

Wi-Fi Protected Access (WPA and WPA2)


Provides much greater security than WEP, but requires a separate authentication protocol, such as RADIUS, be used to authenticate all users. WPA uses a dynamic key that constantly changes, as opposed to the static key that WEP uses.

The Dell SonicWALL security appliance provides a number of permutations of WEP and WPA encryption.

WPA/WPA2 Encryption Settings

Both WPA and WPA2 support two protocols for storing and generating keys:





Pre-Shared Key (PSK)—PSK allows WPA to generate keys from a pre-shared passphrase that you configure. The keys are updated periodically based on time or number of packets. Use PSK in smaller deployments where you do not have a RADIUS server.



Extensible Authentication Protocol (EAP)—EAP allows WPA to synchronize keys with an external RADIUS server. The keys are updated periodically based on time or number of packets. Use EAP in larger, enterprise-like deployments where you have an existing RADIUS framework.

WPA2 also supports EAP and PSK protocols, but adds an optional AUTO mode for each protocol. WPA2 EAP AUTO and WPA2 PSK AUTO try to connect using WPA2 security, but will default back to WPA if the client is not WPA2 capable.

Encryption scrambles messages so that an opponent or attacker cannot intercept them. Most encryption is based on encryption keys, which are merely secret codes used to scramble and unscramble the message. Strong encryption requires strong keys.

WPA2-PSK (Preshared Key) is the strongest and most practical form of WPA for most home users. WPA2 is more secure than WPA because it uses the much stronger AES (Advanced Encryption Standard) protocol for encrypting packets.

The encryption key may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits. The maximum length results in 256 bit strength, which is what 64 digits (8 bits each) multiplied by 4 bits/digit yields. I recommend that you use at least 32 random characters.

Of course you don't type the spaces. Notice that I've converted a password with all lowercase letters to a stronger one by changing just a few letters to uppercase to make it easier to type.

To protect against current brute force attacks, a truly random pre-shared key of at least 20 characters should be used, and 33 characters or more is recommended. But, pre-shared keys are usually configured only once, and users don't need to enter them every time. You might as well use the strongest possible encryption key. :-)


Your SSID (wireless network name)

Due to the naive design of WPA2, the name of your network is the starting point for hackers. It is broadcast in the clear, and it's easy to look up your encryption key on widely available rainbow tables if your SSID is simple. The more random your network name, the better. Treat your WiFi network name as you would a password. Make it complex and avoid using any whole words. Maximum length for an SSID is 32 characters.

I use something like "ASZumFY2J6JeIbpv8xNWVRqmY8SDF8AX" (without quote marks) for my SSID. You can use one of the key generators below to generate your own random SSID. Just trim it back to 32 characters, and you'll have a very strong one.

people wanted to know an easy way to secure a home Wireless network.  My advice to them has usually been for them to use WPA-PSK (Wi-Fi Protected Access Pre-Shared Key) because it was the lowest common denominator with a reasonable level of security.

The PSK is basically a secret string of character designed to offer a simple way of securing a home wireless network.  Because there are WPA-PSK cracking tools out there that can do offline dictionary attacks which allow for a fast exhaustive search of likely passwords, WPA-PSK is vulnerable when simple pass phrases are used.  There are many experts giving differing opinions on how long a Pre-Shared Key should be and many of them are telling users to use very long pass phrases well above 25 characters all the way up to 64.  This has not only caused some confusion among users, but may have also intimidated them from using WPA.  I'm going to try and settle this matter here and now and show why you really only need around 8 or 9 characters for a WPA-PSK key to be reasonably safe so long as your pass phrase is comprised of random a-z and 0-9 alphanumeric characters.

The following table shows you what happens when you increase the number of alphanumeric characters used for the WPA-PSK key and what happens when you increase the number of cracking computers.  To compute this table, I took in to account the following factors:


  • The best WPA-PSK cracker can check 100 PSKs per second on a very fast PC

  • Using a-z and 0-9 characters, there are 36 possibilities per character

  • Combinations of PSKs equals 36 raised to the number of characters used

  • Average cracking time (in years) equals combinations divided by 100 PSKs/sec divided by the number of cracking PCs divided by 60 sec/min divided by 60 min/hour divided by 24 hours/day divided by 365.24 days/year divided by 2

Based on the results, it's clear that cracking an 8 character password is possible within a year using the computational power 1,000 PCs but would be very expensive and impractical to target a home user with this level of computing power.  Physically breaking in to your home would be much easier.  What this means is that it is perfectly safe using an 8 character alphanumeric pass phrase key to secure a home Wireless LAN using WPA-PSK or WPA2-PSK using these simple guidelines.  A simple random 8 character alphanumeric WPA-PSK key would look something like 2b8uwo35 which is very easy to handle.

As stated in the previous blog, we started our discussion on why every remote user is likely on an untrusted network by exploring various ways users connect. We started our discussion with WEP in order to better understand the relative protection and methods of attacks on WEP’s interim successor WPA (Wi-Fi Protected Access) and the current standard WPA2. WEP ultimately broke down because given enough traffic, an attacker can recover the key regardless of the key’s complexity.

WPA came out as a stopgap measure in 2003, and WPA2 was introduced by 2004. It contained improvements to protect itself against WEP’s flaws, such as the ability to check the integrity of the packets and avoided problems with the ways the keys were used. The 802.11g era served as a middle ground for all three security measures, with WEP, WPA and WPA2 being options for security. The 802.11n generation of products required adoption of WPA2 in order to take advantage of the speeds above 54 mbps.

There are different ways to implement WPA2, but for the most part, the use of a pre-shared key (PSK) is by far the most commonplace, especially at homes, small businesses, and guest networks. That’s because that pre-shared key security can be implemented with just the access point and the client, for it requires neither a 3rd party 802.1x authentication server nor requires setting up accounts for each user. Thus, for the most part, the networks that users connect to outside of the office, they’ll most likely be using WPA2 with PSK.

The WPA2 PSK supports 256 bit keys, which requires 64 hex characters (0-9, A-F) to enter. It sounds secure in theory, but in practice it simply isn’t that easy to type that many characters to get the device online.  As an alternative, in order to make data entry much easier on humans, WPA2 includes a function to generate a 256-bit key using a much shorter passphrase, and using the wireless access point’s identification (SSID) as a salt for the hash function.

Now in order to execute an attack on the passphrase, one needs to be able to test a large number of passphrase candidates. So while WPA2 remains cryptographically secure (namely the key isn’t recoverable by simply observing the traffic like with WEP), there are methods to test passphrases offline by gathering the handshake packets between the access point and a legitimate user.

In order to collect the necessary packets, one could passively gather traffic when a user joins the network. This requires time, however, as one does not know when someone will come along. The impatient attacker does not have to wait, however, by employing an active attack. As long as there is already a legitimate user online, the attacker can kick the client off the access point with forged de-authentication packets. After getting knocked off, the client will automatically retry to connect, thus providing the attacker with the handshake packets needed for offline passphrase analysis. Thus, unlike WEP, the attacks on WPA2 can be done without spending a significant amount of time in the proximity of the target network. Once the handshake packets have been gathered, the attacker can continue the work elsewhere, out of sight.

With the handshake packets in hand, what’s next? The attacker still must recover the passphrase itself, and in the early days of WPA2 cracking, it was relatively impractical to crack a moderately difficult passphrase. However, new techniques in recent years have made WPA2 cracking far more sophisticated than it had been in the past. In the next blog entry of this series, we’ll explore why passphrases are not as strong as they used to be due to the sophistication of passphrase recovery techniques and weaknesses in human behavior.

scp copies files over a secure, encrypted network connection. scp stands for "secure copy." If you are familiar with using the cp command on your local machine, scp is easy to understand. Both commands require a source and a destination filesystem location for the copy operation; the big difference is that with scp, one or both of the locations are on a remote system.

scp copies files securely between hosts on a network. It uses ssh for data transfer, and uses the same authentication and provides the same security as ssh. Unlike rcp, scp will ask for passwords or passphrases if they are needed for authentication.

File names may contain a user and host specification to indicate that the file is to be copied to/from that host. Local file names can be made explicit using absolute or relative pathnames to avoid scp treating file names containing ':' as host specifiers. Copies between two remote hosts are also permitted.


SCP (Secure Copy Protocol)


SCP is an older protocol but almost universally supported on Unix-like platforms as part of an SSH protocol suite. It is rarely supported on other platforms. SCP is a descendant of the ancient “rcp.”

scp myfile.txt pi@192.168.1.3:project/

Security in an OLSR MANET

A significant issue in MANETs is that of the integrity of the network itself. OLSR allows any node to participate in the network – the assumption being that all nodes are behaving well and welcome. If that assumption fails, then the network may be subject to malicious nodes, and the integrity of the network fails.

In OLSR as in any other proactive MANET routing proto-

col, each node must, first, correctly generate routing proto

-

col control traffic, conforming to the protocol specification



.

Secondly, each node is responsible for forwarding routing

protocol control traffic on behalf of other nodes in the net-

work. Thus incorrect behavior of a node can result from

either a node generating incorrect control messages or from

incorrect relaying of control traffic from other nodes. Thus

we have two types of attacks against the OLSR routing

protocol.

The first type of attack consists, for a node, in generat-

ing incorrect control message. For this first type of attack,

the node can generate a fake control message from scratch

or it can replay already sent control messages. In this sec-

ond case, we have an incorrect control message generation

using replay. Another even more advanced such replay at-

tack consists in capturing a control message in a given lo-

cation of the network and relaying it very rapidly to another

location to replay it.

In the second type of attack, the node is not relaying cor-

rectly either the control messages or the data packets. This

attack can range from the absence of relaying to an in-

correct relaying, e.g., a data packet can be forwarded to

a wrong next hop node.

The security architecture initially proposed in [12] that w

e

have used to counter the previous attacks relies on two main



mechanisms:

Download 35.5 Kb.

Share with your friends:




The database is protected by copyright ©ininet.org 2024
send message

    Main page