Connecting remote branch using WPA2 Security

jrcollins50 · Sep 25, 2014

We would like to connect our offices via wireless point to point links. Please give your thoughts on the security behind this rough plan. This is for a financial institution, so security is top priority. This traffic would not traverse the internet, it would simply come into our layer 2 network. Both locations would be on the same subnet.

WPA2 Security with 256-bit AES encryption
60 character PSK (auto rotating key) (complex randomly generated)
hidden SSID
700 Mhz frequency with proprietary antenna
mac-address filtering with active block list
No DHCP, statically assigned IPs
blocking of all IP addresses coming into HQ from remote office other than those assigned at remote office.

In addition to this, we would be alerted of any failed authentication attempt, shuned mac-address,

Is the security in WPA2 sufficient? We would like to make this implementation without using VPN (layer 3 encryption)?. What else could we do to secure the wireless network without using a VPN? We want to consider any possible attacks including man in the middle attacks and mac address spoofing, etc.

popatim · Sep 26, 2014

IMO don't use wireless.

bill001g · Sep 26, 2014

AES is AES no matter if you use WPA2 or IPSEC. Nobody even bothers to try to crack the encryption itself they are trying to obtain the keys. The key exchange is what they try to hack but if you use something other than pre shared keys like a radius server using certificates even that becomes close to impossible to even get the initial key. Of course the best is a one time password token device but that is not workable when you are using non end users devices. Certificates on both end devices will prevent any form of man in the middle but it sometimes gets complex if you do not have actual registered domains and such

PSK are perfectly fine when you have a small number of devices controlled by a small group. Normally the issue is the key gets exposed because you have to tell a lot of end users. As long as you use keys with special characters and numbers it will be almost uncrackable. The actually session keys are randomly generated anyway so this is only the very initial exchange that is at risk.

jrcollins50 · Sep 26, 2014

bill001g :

bill001g, I appreciate your helpful input on this! My original plan was to use a randomly generated 60(ish) character key. We would configure this to change every 24 hours (for example). Like you said the actual key exchange would be the biggest vulnrability. I have worked very little with WPA2 "Enterprise" based authentication, but I will definately look into this more if you think it would add a layer of security to our design. We would actually only have a single device connecting on the remote end so any trouble that we have to go through to get it set up originally is well worth our time if we can add an additional layer of security by doing it. Thank you again for your helpful and on topic input! I have received very little of this on other forums! Any other input is more than welcome!

bill001g · Sep 26, 2014

The actual session key used to encrypt the data is changed based on amount of traffic sent as part of the AES protocol. The preshared keys are only used at the very beginning to create the connection and generate the first session key. Pretty much a key longer than 8 characters that contains symbols as well as upper and lower case characters is not possible to crack in someone lifetime so you can wait to change it when you suspect someone may have obtained it though other means than hacking. This key does not have to be really long because it is only used to generate the first real session keys. It also use the mac addresses as well as 2 random numbers to get that actual key.

Once it gets going it will use and regernerate session keys it will never again use the per shared key. This mean for someone to compromise a session they need to get in at the very beginning and then constantly decrypt data so they can obtain the keys as they change. So even if you managed to steal the preshared key you would then either have to wait until a new seasson starts or somehow trick it into restarting.

Generally there are easier targets so it is very rare for someone to attempt to hack a encrypted session.

popatim · Sep 26, 2014

To me, cracking wifi passwords is like hitting the lottery, and people hit that every day.
Its a 10 second ordeal to knock a client off the wifi and capture the handshake when it re-authenticates. After that you've given them 24hrs to basically hit the jackpot. Its just a matter of time until they either get lucky or the rent enough gpu clusters to guarantee it in a day...
If one 64GPU google cluster can bring your 250yrs down to less than 4, how many more would need to be rented to bring it down to a less than a day?

With you being a financial institution I gather the possible score would be rather large. Sounds like plenty of incentive for the wrong type of people.

Edit - I would like to add that I am not a security expect, just a very cautious security minded user with a belief that anything broadcast via radio waves can be hacked into rather easily.

jrcollins50 · Sep 26, 2014

popatim :

Thank you for your input. I can definitely appreciate your understanding of the importance of security especially on wireless networks. The reason we are considering a wireless design is because we do not want the traffic to traverse the internet, even across VPN. We would like to consider any possibility to add another layer of security to this wireless design. We will not implement any changes until we have a proven and solid plan.

popatim · Sep 26, 2014

Out of curiosity, Would this be for a users connection, purely data/files, or mixed?

bill001g · Sep 26, 2014

popatim :

You math is a little off but I suppose you could get lucky.

There are 95 symbols so the total number of combinations with just a 8 character password is 95^8.
Now even if you could guess 1 million keys/sec it would still take over 200 year if my math is right.

jrcollins50 · Sep 26, 2014

There is actually only one host at the remote "branch". The host would be sending software encrypted data to another host over the wireless link. I don't want to rely on the encryption of the data that is being sent, since this isn't my area. We just want to make sure we add every feasible layer of security to the wireless design before implementing.

Edit - When I say "I don't want to rely on the encryption of the data" I mean from a software standpoint. The data would also be encrypted over the wireless link.

Search

Connecting remote branch using WPA2 Security

jrcollins50

Reputable

popatim

Titan

bill001g

Titan

jrcollins50

Reputable

bill001g

Titan

popatim

Titan

jrcollins50

Reputable

popatim

Titan

bill001g

Titan

jrcollins50

Reputable

TRENDING THREADS

Latest posts

Moderators online

Share this page