«
»

WPA no longer considered reliable?

There are a number of stories making the rounds today about how WPA has been cracked, though “it’s not as bad as you think…yet”.

WPA2 when using TKIP is also affected.

Running a VPN on top of your wireless encryption can offer additional protection, and you may want to consider such a deployment regardless of the wireless encryption deployed in your network. Whether pfSense is your AP, or your APs connect to it, it can provide VPN services to internal users on your wireless network, and you can restrict all traffic coming in from your wireless network to only access the VPN. Then after successfully authenticating to the VPN, users can access your internal network and/or the Internet.

Edit:  SANS has a good webcast on this topic for those interested in details.

This entry was posted by on Thursday, November 6th, 2008 at 5:28 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “WPA no longer considered reliable?”

  1. blak111 Says:
    November 6th, 2008 at 7:39 pm

    I believe this weakness is just with TKIP, which was just basically WEP on steroids. It’s very similar to WEP to avoid conflicts with needing better drivers or better hardware to support anything better like AES.

  2. Chris Buechler Says:
    November 6th, 2008 at 9:31 pm

    I updated Scott’s post with some additional information.

  3. resmo Says:
    November 7th, 2008 at 3:34 am

    I wonder why people are so surprised about this “WPA cracked” story. Anybody knows WPA is WEP improved and so this can’t not be secure.

    I think the reason is, that WPA and WPA2 looks almost like the same for common people. They only see WPA and remember they also used something called WPA, obviously WPA2 and start screaming.

  4. p1nged Says:
    November 8th, 2008 at 11:37 pm

    yea, what blak111 said is true… they broke TKIP

    in any case, the most secure for now is WPA2-Enterprise with AES & RADIUS authenication + using an L2TP/IPSec VPN on top of that… can all be done using pfsense

    thats just being paranoid, but maybe required for certain applications

  5. RasKal Says:
    November 17th, 2008 at 4:29 am

    Fully agree with p1nged and I’d also use x509 user certificate if L2TP/IPSec is not an option.
    Bgrds.

  6. Scott Ullrich Says:
    November 17th, 2008 at 2:26 pm

    Just because your paranoid does not mean they are not out to get you ;)

  7. hawk Says:
    November 24th, 2008 at 1:10 am

    It’s not really true that “WPA2 is not affected”, TKIP (the thing that has started showing cracks) is part of the WPA2 spec as well as the WPA spec.

    However CCMP (AES), only mandatory in WPA2, is unaffected, so it is not as bad as it sounds.

  8. Chris Buechler Says:
    November 24th, 2008 at 1:15 am

    Thanks hawk, I updated the post. That was from the first day when the details weren’t so clear and I never went back and reviewed the content of the post.

Leave a Reply