Home AMX User Forum AMX Control Products

Wireless security PSA

wizardwizard Posts: 2
in AMX Control Products
I lurk here a bit, and I've seen a number of threads talking about wireless setups. I notice alot of you use WEP, MAC filtering, and disabling SSID broadcast for security. So I figured I'd put this together real quick.

Honestly, WEP, disabling SSID broadcast, and MAC filtering are entirely ineffective for security. In order to have a secure network you need at least WPA-PSK with a strong key (one that doesn't have components in the dictionary, numbers, upper and lower case, symbols, more than 14 characters, etc.).

WEP is trivially broken using off the shelf tools and hardware. It has been done in under 2 minutes with relatively modest hardware.

http://arstechnica.com/news.ars/post/20070404-new-attack-cracks-wep-in-record-time.html

SSID broadcasting is not security as with a wireless sniffer (or my broadcom wireless manager) will pick up the network still, and not surprisingly breaks alot of wireless clients, see above post about AMX not supporting this, or even microsoft's take on this:

http://www.microsoft.com/technet/network/wifi/hiddennet.mspx

MAC filtering is ineffective due to the ability to trivially find the MAC address of an authorized host and spoof it. I can't find a decent article for this, but even in conjunction with other security techniques, it is just as easy to break as if it were to be the only security. This should take an inexperienced attacker a couple minutes to pull off.

Here is an example tool for this, to be used in conjunction with something like netstumbler:

http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp

Also, everyone here needs to realize that if you are sharing the AMX wi-fi with the house/internet wifi network, or if the AMX wi-fi is on the same layer 2 network, once the wireless security is broken, you can use an arp poisoning attack to sniff data between any set of hosts on the network. I.E., I could break the amx wireless that is connected into the same switch as a clients computer which he uses for internet, and sniff all his traffic to capture his passwords/emails/etc. I can even perform a MitM attack and see traffic on https or other ssl tunnels in plaintext.

See http://www.oxid.it/cain.html for a good tool for this.

Comments

  • viningvining Posts: 4,368
    wizard wrote:
    Honestly, WEP, disabling SSID broadcast, and MAC filtering are entirely ineffective for security.
    That depends on what type of security your looking for. If you're trying to secure wi-fi on college campuses or from coporate/industrial spies then no, but for most residential installations where your really just trying to prevent neighbors from connecting to the internet through your network then I feel it's still adequate. It's always possible to live next to some techno geek that has nothing better to do then to break the crypt on your wi-fi but for most a hacker gaining access has no rewards.

    I'm not really up on current WPA events but to my understanding that now hackable as well. In coporate installations or areas where security is a real issue then yes you must use WPA but you should also have your wi-fi on a completely different network and probably create a VPN tunnel for access between the wi-fi & wired and only use wi-fi for portable TPs while all other devices stay hard wired.

    Most of my installs (residential) are still set up w/ WEP and SSID broadcast on and I feel comfortable with that level of security for these types of installations. I'm fully aware that if some one really wants to they can hack it but they can also likely just break into the house and get access to something of real value.
  • HedbergHedberg Posts: 671
    Most of the wireless AMX panels that we have installed do not support WPA. I was playing with a C$tron TPMC-8X the other day, and that looks to have WEP only, too.

    I believe that a good practice is to not degrade the customer's level of security by adding AMX wireless equipment. If you're putting an access point on a customer's network and all the other access points on the customers network are WPA protected, either use WPA or isolate the AMX network. If the AMX network is isolated, it should be a pretty low risk target.
  • DHawthorneDHawthorne Posts: 4,584
    Hedberg wrote:
    Most of the wireless AMX panels that we have installed do not support WPA. I was playing with a C$tron TPMC-8X the other day, and that looks to have WEP only, too.

    I believe that a good practice is to not degrade the customer's level of security by adding AMX wireless equipment. If you're putting an access point on a customer's network and all the other access points on the customers network are WPA protected, either use WPA or isolate the AMX network. If the AMX network is isolated, it should be a pretty low risk target.
    The AMX wireless panels shipped within the last few months support WPA. Older ones, you can upgrade the wireless card to support it.
  • HedbergHedberg Posts: 671
    We've gotten some with g cards recently and I understand that you can add g cards to the older panels, but when the panel is in an isolated network or is connected into a network which does not have WPA security, there's not much point. Assuming everything is working correctly.
  • ericmedleyericmedley Posts: 4,177
    Not to poo-pooh this discussion... Wizard does make some very accurate statements. The bottom line is, if you're broadcasting any information over the airwaves, it's open to reception by anyone within the transmitter's range. I also remember that within 20 minutes of Linksys announcing the release of their Wireless G wap, some kid in Norway posted a crack for the encryption on his website. Its a hurly burly world out there. There's also lots of people with way too much time on their hands.

    However, it's a matter of acceptable risk. We have this discussion with the client at some point during the design of their system. We try to arm them with all the information we can and hope they make a wise choice.

    We try to break down the risk into its component parts so they can scale their network(s) on a continuim of wide-open very convenient to pretty tight but not as convenient. We have our own standards of what we're willing to accept and scale our side of the network accordingly.

    In many cases we're dealing with a client that needs some access to their network from the outside and we do as well. Someplaces there is no way to get separate IPs for this and we're forced to share a fast internet connection. Here again, it's a matter of how much risk is acceptable.

    It works the same way on the freeway. It's a dangerous place to drive your car. You have to weigh the positives and negatives, manage the risks as best you can and do what's right for you.
Sign In or Register to comment.