Secure "Relative Term I guess" Wireless network withVPN

[raffi at flossyourmind.com (Raffi Jamgotchian)]

PSKs can easily be sucked out if you are using the standard Windows
Supplicant to connect (using nirsoft tools)

 

 

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Jody & Jennifer
McCluggage
Sent: Tuesday, February 02, 2010 1:30 PM
To: 'PaulDotCom Security Weekly Mailing List'
Subject: Re: [Pauldotcom] Secure "Relative Term I guess" Wireless network
withVPN

 

Under the conditions that you describe (no radius, no enterprise gear,
single user), I believe your best bet would be to implement WPA-2 Personal.
This setup requires a pre-shared key that is used by both sides. Under most
clients, after initial setup, the user does not need to know the pre-shared
key to use it (it is installed on the client), so make the pre-shared key
wickedly long and complex (25+ random string).  The biggest issues with
pre-shared keys are that all systems must use the same one and they usually
must be manually updated (i.e. they are not changed on a regular basis).
Since you are only implementing for one user, the first weakness is
mitigated quite a bit.  You can help mitigate the second one by creating a
very long and complex string and securely storing it (use something like Kee
Password safe, etc).  Most of the tools out there currently attempt to break
WPA-2 Personal rely on a weak pre-shared key (i.e. most don't directly
attack the encryption or algorithm) so can usually be thwarted by using a
strong key.   

 

I have not worked directly with OpenWRT but I assume that it supports WPA-2
Personal?

 

As for HIPAA, it does not proscribe specific steps on how to secure wireless
(the new updates in the ARRA HITECH does proscribe acceptable encryption.
WPA-2 uses AES which should satisfy it).  Its goal is to simply secure
protected health information.  It is organization's job to determine the
best way to do that and justify it through risk analysis and migration
processes.  So the bottom line is, whatever you decide to do, document what
you perceive the risk to be and how you went about mitigating it.

 

Jody

 

  _____  

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Tyler Robinson
Sent: Monday, February 01, 2010 7:56 PM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] Secure "Relative Term I guess" Wireless network
withVPN

 

Just wondering if anyone has had any experience configuring DDWRT or OpenWRT
to be HIPPA compliant across WIFI, I have a single user, single machine
Medication cart that I need to be WIFI mobile but still HIPPA comliant and
of course the customer wants to spend the least amount of money so no radius
and no special enterprise WIFI Gear. Any advice is always appreciated.
Thanks,
TR

-- 
Tyler Robinson
Owner of Computer Impressions

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100203/39003768/attachment.htm