Is there a way to enhance WPA2 security?

[trapizi]

Hi guys, so someone asked me how to better secure a wireless network if it's already using WPA2. I've done some research and apparently WPA2 is the best for standard wireless network.

[Oshino Shinobu]

You can add more layers like MAC access lists, but WPA2 is already pretty much as secure as it gets for normal wireless networks. 

[trapizi]

Just now, Oshino Shinobu said:

You can add more layers like MAC access lists, but WPA2 is already pretty much as secure as it gets for normal wireless networks. 

Can you help me understand why adding more MAC access lists would improve security?

[Oshino Shinobu]

Just now, trapizi said:

Can you help me understand why adding more MAC access lists would improve security?

A MAC access list basically checks a wireless device's MAC address when it tries to connect, then either allows it or rejects it, depending on how the list is made. You can make MAC whitelists or MAC blacklists. Whitelists will allow all devices with MAC addresses that are on the list and reject any device not on the list. A Blacklist will do the opposite, where every device on the list is rejected and everything else is allowed (provided they have the correct password). 

 

Basically, it means that even if someone who's not meant to be on the network finds out the password, they won't be able to connect unless they've been added to or removed from the list (depending on whether it's a black or white list). 

 

It adds security, but can be impractical for networks with a large amount of clients, or on networks that often have new devices connecting to them, as it often requires the MAC lists to be kept updated manually. I believe there are ways to set up an automated authorisation method to add the device to the allowed list (something like employee login details), but I'm not too familiar with such systems. 

[juretrn]

If this is a home network, no one is going to bother with cracking your encryption, unless you use some really obvious passwords and you have lots of cheap neighbours. 

If this is a bussiness, maybe you should talk to someone who specializes in netowrk security- they will probably tell you not to use WiFi if possible.  

[Donut417]

You can stop broadcasting your SSID. This would me that whom ever wants to connect you need the network name and password. That might be the best way to do it. This issue with MAC address filtering is you can spoof MAC addresses and get around that. Although thats if you have the password. WPA2 with AES encryption is very hard to break. Ive heard that it could take a super computer 800 years to crack. SO if you have a strong password, I doubt anyone would be able to crack it, well at least outside the NSA or CIA. 

[.spider.]

1 hour ago, Donut417 said:

You can stop broadcasting your SSID. This would me that whom ever wants to connect you need the network name and password. 

Hiding the SSID doesn't increase the security since the access point is still transmitting beacon frames.

 

[Guest]

16 hours ago, .spider. said:

Hiding the SSID doesn't increase the security since the access point is still transmitting beacon frames.

 

You can disable that though.

 

• MAC white listing
• 802.1x RADIUS authentication
• VLAN wireless networks to only allow access to certain areas.

[leadeater]

Also make sure you are using WPA2-AES and not WPA2-TKIP. I also setup DHCP white listing so devices only get IP addresses that I have entered in to my DHCP server.

[.spider.]

3 hours ago, Windspeed36 said:

 

• MAC white listing
• VLAN wireless networks to only allow access to certain areas.

The gain in security by MAC white listing is negligible.

It takes about 5 minutes to work around that by capturing a few seconds of traffic, finding a valid MAC(is not difficult all connected devices are transmitting their MAC several times per minute) and than change your own MAC to the valid MAC. 

 

I am pretty sure that WiFi cards in monitor mode are ignoring VLAN tags.

2 hours ago, leadeater said:

 I also setup DHCP white listing so devices only get IP addresses that I have entered in to my DHCP server.

Again spoofing a MAC or finding a valid ip is not difficult. 

[.spider.]

Ways to secure your WiFi network

- Reduce signal strength

-Use a long true random password

-Keep your AP up-to-date

-Use AP of trustworthy brands

-Disable the "always on" WPS function some AP offer (attack would take less than 8h)

-Turn the AP off if it is not in use

-Use 802.11w devices only (sadly not often supported)

 

[leadeater]

7 hours ago, .spider. said:

The gain in security by MAC white listing is negligible.

It takes about 5 minutes to work around that by capturing a few seconds of traffic, finding a valid MAC(is not difficult all connected devices are transmitting their MAC several times per minute) and than change your own MAC to the valid MAC. 

 

I am pretty sure that WiFi cards in monitor mode are ignoring VLAN tags.

Again spoofing a MAC or finding a valid ip is not difficult. 

Any half decent AP can detect MAC spoofing now days and block the rogue client. Also having a valid MAC addresses isn't enough to get connected, no one is saying use MAC as the only authentication method, it's part of a multi phase authentication process.

 

If we take my setup as an example, which is how most enterprise deployments are done and the way I have set them up for clients, there are multiple points of authentication and authorization. All wireless SSID's are protected by RADIUS which it's authentication source is Aruba(if using Aruba)/FortiAuthenticator(If not using Aruba)/Active Directory, once you supply a correct username/password the RADIUS accounting message is forwarded to my ForitGate firewall which looks at the username and IP address and adds it to the authenticated user list. In this system the AP, the wireless controller, FortiAuthenticator and the FortiGate firewall have MAC/IP spoofing protection along with many other IDS/IPS protections.

 

The above I do not seriously think anyone should be running at home.

 

Nothing is perfect and there is no best answer, some things people will find too over bearing and laborious so just won't do it, it's a balance between security and usability.

 

Actually breaking in to WPA2 protected wireless systems is very rare, 99.999% are from people using the default password. The only serious security concern is as you mentioned WPS and I agree turn that off.

[.spider.]

7 hours ago, leadeater said:

Any half decent AP can detect MAC spoofing now days and block the rogue client.

I'd really like to know how that works because listening for a valid mac is absolutely quite. 

[leadeater]

1 hour ago, .spider. said:

I'd really like to know how that works because listening for a valid mac is absolutely quite. 

It wouldn't stop you listening for MAC addresses but if you tried to use one you have found that is when the spoof protection will kick in. I have no doubt you can defeat the spoof protection though, waiting for the victim client to disconnection then using it's MAC address. You would still actually need the password.

 

Not all systems are that easy to defeat though, controller managed systems have a lot more awareness than standalone APs.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Device-conflict/td-p/201891

 

Now part of HP/Aruba (sorry for the massive link )

https://d1x3hnhct7p62q.cloudfront.net/SupportSite/ProductionFiles/f4dbcc2f-8b73-4299-8984-71470a4426c2/PreventMACspoof.pdf?Expires=1472290700&Signature=OofE0-y3eweFJqjrwx-nXjUT4FcqHLfxoOLHzPwUtO8~JIBhcwG7IYg8Ke6XbjUQjISdk1feknhm8Sl4aO4xn2UZ6PqUK64Nso0m9FuxyP-NypV9WwVDYl~FqhCrRUmEG1Ogbc8atlpB1HlmJp1OINOAIlFWLwNWkQOareBteV1bcUEwvRnc00djwUFB-9cLOa47dbTvIbrYCy8xaXU8kql5UFUTUWtOy7prpwDpjeQCvw~~99aJURy7ntjcSMcGMUbo-ehPey3gBbFobgmjhySSrdO~5vl7yG7nFMMFbSSxVN9qrjyF1IpE1ECuxK-SBkfGm5S1THhMo1MSmF855g__&Key-Pair-Id=APKAJCOCR7KIA7QV5SEQ